Coordinated Vulnerability Disclosure
At Z-CERT we find the safety of our own systems very important. Despite our concern for the security of our systems, it is possible that there is a weak spot.
If you have found a weak spot in one of our systems, we would like to hear this so that we can take measures as soon as possible. We would like to work with you to better protect our participants and our systems. If you comply with our Coordinated Vulnerability Disclosure policy we have no reason to take legal action against you regarding the reported vulnerability.
We ask you to:
– Make sure that your findings are in scope. Further on this page you can check what is considered to be out-of-scope.
– Please use this CVD-form to send your findings to [email protected], encrypted with our PGP-key.
– Provide adequate information to allow us to investigate and reproduce the vulnerability. Fill out every aspect of the CVD-form. This helps to resolve the problem as quickly as possible. An IP address or URL of the affected system with a description of the vulnerability will usually be sufficient, although more information might be necessary for more complex vulnerabilities. You may add a proof of concept as an attachment.
– Do not exploit vulnerabilities, e.g. by downloading more data than is needed to demonstrate the vulnerability, looking into third-party data, deleting or modifying data.
– If you suspect to have access to medical data we ask you to let us verify this.
– Do not share information on vulnerabilities until they have been resolved and erase any obtained data as soon as the problem is solved.
– Do not attack (physical) security using social engineering, distributed denial of service, spam, brute force attacks, third-party applications for instance, or other types of attacks.
How we will handle your report:
– Z-CERT will treat your report confidentially and will not share your personal data unless required by law.
– Z-CERT will send you a confirmation of receipt and will respond within five working days with an evaluation of your report and an expected resolution date.
– Z-CERT will keep you informed of the progress in resolving the problem.
– In communication about the reported problem we will mention your name as the discoverer of the problem (unless you desire otherwise).
– Z-CERT offers a thank you reward which can vary depending on the severity of the vulnerability and the quality of the report.
We strive to resolve any vulnerability as soon as possible. Once the problem has been resolved we will decide in consultation whether and how details will be published.
With thanks to Floor Terra for his sample text in Dutch on responsibledisclosure.nl.
Last update: 12 october 2022