Search
Lees Voor
CVD melden Deelnemer worden
NL EN
Search

Coordinated Vulnerability Disclosure

At Z-CERT we find the safety of our own systems very important. Despite our concern for the security of our systems, it is possible that there is a weak spot.

If you have found a weak spot in one of our systems, we would like to hear this so that we can take measures as soon as possible. We would like to work with you to better protect our participants and our systems.

We ask you to:

Send your findings to [email protected] Encrypt your findings with our PGP key.
Not to misuse the problem by, for example, downloading more data than is necessary to prove the leak or to view, delete or modify data from third parties,
Do not share the problem with others until it is resolved and delete all confidential data obtained from the leak immediately after closing the leak.
Do not use attacks on physical security, social engineering, (distributed) denial of service, spam or third party applications.
Results of a vulnerability scan or a vulnerability service, will not be accepted.
Provide sufficient information to reproduce the problem so that we can solve it as quickly as possible. Usually the IP address or the URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may require more.

What we promise:

We will respond to your report within 5 days with our assessment of the report and an expected date for a solution.
If you have complied with the above conditions, we will not take any legal action against you regarding the report.
We will treat your report confidentially and will not share your personal information with third parties without your consent, unless this is necessary to comply with a legal obligation. Reporting under a pseudonym is possible.
We will keep you informed of the progress of the problem.
In reporting on the reported problem we will, if you wish, mention your name as the discoverer, and
As a thank you for your help, we offer a reward for every report of an unknown security problem. We determine the size of the reward on the basis of the severity of the leak and the quality of the report.
We strive to solve all problems as quickly as possible and we are happy to be involved in any publication about the problem after it has been resolved.

With thanks to Floor Terra for his sample text in Dutch on https://responsibledisclosure.nl/.

Not in scope:

Z-CERT will not process reports of vulnerabilities or security issues that can not be abused or are trivial. Below are a couple of examples of known vulnerabilities and issues that are outside the scope. This does not mean they are not important or should not be resolved, however our CVD process is meant for issues that can be actively abused. For example a vulnerabilities that can be abused by a public available exploit or a misconfiguration that can be used to bypass an existing security control. This list of exclusions is derived from a list used by the CERT of Surf (https://www.surf.nl/responsible-disclosure-surf).

  1. HTTP 404 codes/pages or other HTTP non-200 codes/pages and content spoofing/text injections in these pages
  2. Fingerprinting/version disclosures op public services
  3. Public files or directories that do not contain confidential information
  4. All disclosures of confidential/sensitive information will be judged by Z-CERT or the healthcare organization involved, and might be labeled “out of scope” if they do not pose a significant risk.
  5. Click jacking, problems that can only be exploited by clickjacking
  6. No secure/HTTP-only flags on unconfidential cookies
  7. OPTIONS HTTP method enabled
  8. Rate-limiting without clear impact
  9. All issues related to HTTP security headers, for example:
    1. X-Frame-Options
    2. X-XSS-Protection
    3. X-Content-Type-Options
    4. Content-Security-Policy
    5. Strict-Transport-Security
  10. SSL security configurattion issues, for example:
    1. SSL Forward secrecy disabled
  11. No TXT record for DMARC or a missing CAA-record
  12. Host header injection
  13. Reports of outdated versions of any software without a proof of concept of a working exploit
  14. Absence of security best practices or hardening measures. Though important, they are not within scope of a CVD process. Example:
    1. xmlrpc.php/wp-json of a wordpress website
    2. Absence of rate limiting measures.
  15. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  16. Social engineering of healthcare organisation staff or contractors. For example creating phishing pages.
  17. Issues that result in Denial of Service (DoS) to organisations servers at the network or application layer.
  18. Issues that require unlikely user interaction
  19. Cross-site Request Forgery with minimal security impact
  20. Issues related to software or protocols not under the organizations control. For example known issues with ARP or HL7.
  21. It is possible that your report on an issue overlaps with a report on the same issue by another individual. In this case we will only accept the first report received by us.

Last update: 20 september 2021

We zijn de hele dag bezig met het digitaal veiliger maken
van de Nederlandse zorg