Responsible disclosure - English version
CBR considers the security of its systems a top priority. Despite all precautions, it is still possible that a vulnerability in the systems can be found. If you discover a vulnerability in one of our systems, please notify us, so that we can take appropriate action quickly. By notifying us you declare that you agree to the agreements below on Responsible Disclosure and CBR will handle your notification in accordance with the agreements below.
Please do the following:
- E-mail your findings to firstname.lastname@example.org.
- Please provide us with sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but complex vulnerabilities may require further explanation.
- We welcome tips to help us solve the problem. However, please limit your advice to verifiable facts related to the vulnerability you have identified and avoid that your advice basically amounts to advertising specific (security) products.
- Please leave contact details so that we can get in touch with you to work together to achieve a safe outcome. Please leave at least one e-mail address or phone number.
- Please send us your findings as soon as possible after discovery of the vulnerability.
The following actions are allowed:
- Placing malware, neither on our systems nor those of others.
- So-called ‘brute forcing’ access to systems.
- Disclosing or providing information about the security problem to third parties before it is resolved.
- Taking actions beyond what is strictly necessary to demonstrate and report the security problem. For example, you should not copy confidential data to which you have had access due to the vulnerability. Instead of copying an entire database, you can normally suffice with, say, a directory listing. Modifying or deleting data in the system is also not allowed.
- Using techniques that reduce the availability and/or usability of the system or services (DoS attacks).
- Abusing the vulnerability in any (other) way.
What to expect:
- If you comply with all the above conditions, we will not file criminal charges against you or bring a civil case against you.
- If you are found to have violated any of the above conditions, we may still decide to take legal action against you.
- We treat a report confidentially and do not share the reporters personal details with third parties without their consent, unless we are required to do so by law or court order.
- We always share the received report with the CERT’s within the government. This way, we ensure that the government share their experiences in this area.
- By mutual agreement, if you wish, we can mention your name as the discoverer of the reported vulnerability. In all other case, you will remain anonymous.
- We will send you an (automated) acknowledgement of receipt within 1 working day.
- We will respond to a report within 5 working days with an (initial) evaluation of the report and, if necessary, an expected resolution date.
- We will resolve the security problem you reported as soon as possible. In doing so, we aim to keep you well informed of progress and never take longer dan 90 days to solve the problem. However, we are often partly dependent on suppliers.
- It can be mutually agreed whether and how to publish about the problem after is has been resolved.
- We may offer a reward as a token of our gratitude for the assistance. Depending on the severity of the problem and the quality of the report, the reward may vary from a simple ‘thank you’ to a donation. However, this must involve an as yet unknown and serious security problem.