Report digital vulnerability
Coordinated vulnarability disclosure
We consider the security of our systems and processes to be important. Despite all the measures we take, vulnerabilities may still arise. Have you discovered a vulnerability in one of our systems? If so, we would appreciate it if you could report it to us. We can then take measures as quickly as possible to eliminate this vulnerability. We would like to work with you to better protect our systems and the data of our residents. By reporting a vulnerability, you agree to the following Requirements rules.
What do you do if you discover a vulnerability?
- Email this to cvd@aalten.nl. Encrypt your message with our PGP key to prevent the information from falling into the wrong hands. You can find the PGP key in the attachment at the bottom of this page.
- Please provide enough information so we can find, reproduce and resolve the problem as soon as possible. Your report consists of:
- An IP address or the URL of the affected system;
- a Proof of Concept (PoC), showing how you arrived at the vulnerability;
- a CVE (if available), a list describing known vulnerabilities from software
- A clear description of vulnerability.
- Make your report as soon as possible after you discover the vulnerability.
- Share tips that help us solve the problem. Explain your tips with facts and avoid advertising certain (security) products.
- Please leave your contact information so we can work with you on a safe outcome. We need at least one email address or phone number.
In any case, what should you not do?
- Abusing the vulnerability in any way. For example, by downloading more data than necessary to demonstrate the leak. Or to view, delete or modify third-party data.
- Share the vulnerability with others or make it public before we resolve the vulnerability.
- Taking more actions than necessary to show and report the security problem.
- Using attacks on:
- physical security.
- social engineering, the abuse of human traits such as curiosity, trust, greed, fear and ignorance.
- (distributed) denial of service, causing the user to lose access to a computer system.
- phishing; scamming people through Internet fraud.
- third-party applications.
- Place malware on our systems or those of third parties.
What can you expect from us?
- We treat your report confidentially. And do not share your personal information with third parties without your permission. Except when the law requires us to do so. Or if we have to follow a court order.
- You will receive an automatic acknowledgement of receipt within 1 business day.
- Within 7 business days you will receive an (initial) assessment of the report. And possibly an expected date for a solution.
- We will try to solve the problem within 90 days. We will work with you on this if possible. In any case, we will let you know what we are doing.
- If possible, we share the report with the Information Security Service for Municipalities (IBD). In this way, we ensure that municipalities share their experiences in this area.
- Does your report really help increase the security of our systems? Then you will receive an appropriate reward for your help. Depending on the seriousness of the security problem and the quality of the report, the reward may vary. It must be an unknown and serious security problem.
You may assume that your report will have no legal consequences for you if you follow the above ground rules. Does it turn out that you did not follow the rules? If so, we may still decide to take legal action against you. In doing so, we will assess whether you have acted in the public interest, proportionality and subsidiarity.