Coordinated Vulnerability Disclosure
At Z-CERT we find the safety of our own systems very important. Despite our concern for the security of our systems, it is possible that there is a weak spot.
If you have found a weak spot in one of our systems, we would like to hear this so that we can take measures as soon as possible. We would like to work with you to better protect our participants and our systems.
We ask you:
- Mail your findings to [email protected] Encrypt your findings with our PGP key to prevent the information from falling into the wrong hands.
- Not to misuse the problem by, for example, downloading more data than is necessary to prove the leak or to view, delete or modify data from third parties,
- Do not share the problem with others until it is resolved and delete all confidential data obtained from the leak immediately after closing the leak.
- Do not use attacks on physical security, social engineering, distributed denial of service, spam or third party applications.
- Provide sufficient information to reproduce the problem so that we can solve it as quickly as possible. Usually the IP address or the URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may require more.
What we promise:
- We will respond to your report within 3 days with our assessment of the report and an expected date for a solution.
- If you have complied with the above conditions, we will not take any legal action against you regarding the report.
- We will treat your report confidentially and will not share your personal information with third parties without your consent, unless this is necessary to comply with a legal obligation. Reporting under a pseudonym is possible.
- We will keep you informed of the progress of the problem.
- In reporting on the reported problem we will, if you wish, mention your name as the discoverer, and
- As a thank you for your help, we offer a reward for every report of an unknown security problem. We determine the size of the reward on the basis of the severity of the leak and the quality of the report.
We strive to solve all problems as quickly as possible and we are happy to be involved in any publication about the problem after it has been resolved.
With thanks to Floor Terra for his sample text in Dutch on https://responsibledisclosure.nl/.