Coordinated Vulnerability Disclosure
Our Coordinated Vulnerability Disclosure Policy
Our dependence on digital infrastructure is ever increasing. This applies to society as a whole, but also to ourselves. It is therefore our opinion that governments and organisations (including ours) should strongly commit to securing our digital infrastructure. We do realise that, in spite of our best intentions and greatest care, vulnerabilities may exist in our systems. If you do happen to find one of these weaknesses, we would love to hear from you so we can resolve the issue.
What we expect from you
- When you are investigating one of our systems, bear in mind the proportionality of the attack. There is no need to demonstrate that when you subject our website to the largest DDos-attack in the history of the internet, the site may become unreachable. We know that. We also understand that if you drive a bulldozer into our office, you will probably be able to snatch one of our laptops.
- This principle of proportionality is also relevant when demonstrating the vulnerability itself. You should not inspect or modify more data then strictly necessary in order to confirm the validity of your finding. For instance, if you are able to modify our homepage, just add a single non-controversial word to it instead of taking over the entire page. If you can obtain access to a database, it suffices to show us a list of the tables that are in there, or perhaps the first record in one of these tables.
- A vulnerability in one of our systems should be reported as soon as possible by sending an email to security@bof.nl. Preferably you would encrypt your message using OpenPGP. Please provide enough information so we can reproduce and investigate the issue.
- You will not share your knowledge of the vulnerability with other parties as long as we have not addressed the issue and we are still within a reasonable timeframe since you reported the issue.
- You will delete all confidential information you have obtained during your investigation as soon as we have resolved the vulnerability.
What you can expect from us
- We will respond to your report within three days in a detailed manner. We will include an estimate of the time we will require to address the issue. Of course, we will regularly keep you posted on our progress.
- We will resolve the vulnerability as soon as possible. Here too, proportionality is important: the amount of time required to fix a vulnerability depends on several factors, among which the severity and the complexity of the issue at hand.
- When you follow the guidelines that are laid out here, we will not take legal action against you regarding your report.
- It is important to us to credit you for what you did - if you wish. We will mention your name in a publication regarding the vulnerability only if you agree to this.
- As a thank you for helping us in better protecting our systems, we would like to reward every report of a vulnerability that was unknown to us at the time. The reward will depend on the severity of the vulnerability and the quality of the report.
- Should you find a vulnerability in third party software that we use and that vulnerability is covered by a bug bounty program, we will not try to claim this bounty; you should.
Version 1.0 of 23 June 2017.
What vulnerabilities have been found?
We keep a Dutch list of the all the vulnerabilites that have been found (and solved) through this coordinated vulnerability disclosure process.