What you should consider with Responsible Disclosure
If you report a vulnerability in an ICT system, consider the following:
- Provide enough information to reproduce the problem. This way the problem can be solved as soon as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient. More complex vulnerabilities may require more.
- Leave contact details (email address or telephone number) so that you can be contacted.
- Report the vulnerability as soon as possible after discovery.
- Do not share information about the vulnerability with others until it is resolved.
- Be responsible with the knowledge of the security problem. Do not take actions beyond what is necessary to demonstrate the vulnerability.
Do you meet these conditions when reporting? In that case, no legal consequences will be attached to the report.
Do not abuse a weakness in an ICT system
If you discover a vulnerability, don't abuse it. For example by:
- Placing malware;
- Copy, change or delete data in a system (an alternative to this is making a directory listing of a system);
- Make changes to the system;
- Repeatedly access the system or share access with others;
- Make use of the so-called "brute forcing" of access to systems;
- Using denial-of-service or social engineering.
What is being done at Responsible Disclosure
Have you reported a weakness in an ICT system? The report is handled as follows:
- You will receive a confirmation within 1 working day;
- You will receive a response to your report within 3 working days. This response includes an assessment of the report and an expected resolution date;
- As a reporter you will be kept informed of the progress of solving the problem;
- The security issue will be resolved as soon as possible, but not later than 60 days. Together with you will be determined whether and how the reported problem will be communicated. Communication will only take place after the problem has been solved;
- As a thank you for the help, you will be offered a reward.
Your report will be treated confidentially. Personal data is not shared with third parties without your permission. Unless required by law or court order. If you wish, your name can be listed as the discoverer of the reported vulnerability.