Coordinated Vulnerability Disclosure (EN)

The municipality of Maasdriel attaches great importance to the security of its systems. Despite all precautions, it remains possible that a weak spot can be found in the systems. We would like to hear from you if you discover a weak spot in one of our systems so that we can quickly take appropriate measures. By making a report, the municipality of Maasdriel will handle your report in accordance with the procedure below.

We ask the following of you:

• Send an email with your findings to info@maasdriel.nl and mention “CVD” or “Responsible Disclosure” in the subject line.
• Report as soon as possible after discovering the vulnerability.
• Do not share information about the security issue with others until you hear from us whether the issue was resolved.
• Provide enough information to reproduce the problem. So that we can resolve it as quickly as possible. Typically, the IP address or URL of the affected system and a description of the vulnerability are sufficient, but more complex vulnerabilities may require more information.
• We welcome tips that will help us solve the problem. Please limit yourself to verifiable facts that relate to the vulnerability you have identified and avoid that your advice is in fact advertising for specific (security) products.
• Leave contact details, so that we can contact you to work together towards a safe outcome. Leave at least one email address or phone number to contact you.

 
The following actions are not allowed:

• Placing malware, neither on our systems nor on those of others.
• So-called “brute forcing” of access to systems, except to the extent that this is strictly necessary to demonstrate that security in this area is seriously deficient. That is if it is extremely easy to crack a password that could seriously compromise the system with use of publicly available and affordable hardware and software.
• Using social engineering, except to the extent strictly necessary to demonstrate that employees with access to sensitive data generally fail (seriously) in their duty to handle it with care. That is, if it is generally too easy to persuade them to provide such data to unauthorized persons in an otherwise completely legal manner (not through blackmail or the like). You must exercise all care that can reasonably be expected of you so as not to harm the employees in question themselves. Your findings must be aimed exclusively at demonstrating apparent defects in the procedures and working methods within the municipality and not at harming individuals who work for the municipality.
• Disclosing or providing third parties with information about the security issue before it is resolved.
• Taking actions that go beyond what is strictly necessary to demonstrate and report the security problem. In particular when it comes to processing (including viewing or copying) confidential data to which you have had access due to the vulnerability. Instead of copying a complete database, you can normally suffice with, for example, a directory listing. Changing or deleting data in the system is never permitted.
• Using techniques that reduce the availability and/or usability of the system or services (DoS attacks).
• Abusing the vulnerability in any (other) way.

What we promise:

• If you find a vulnerability and have complied with the procedure, we have no reason to attach legal consequences to your report. We will treat your report confidentially and will not share personal information with third parties without your permission, unless this is required by law or a court order.
• If it turns out that you have violated any of the above conditions, we may still decide to take legal action against you.
• We treat a report confidentially and do not share personal data of a reporter with third parties without their permission, unless we are obliged to do so by law or a court decision.
• The municipality will share its experiences in this area with umbrella organizations such as IBD and VNG.
• By mutual agreement, if you wish, we can mention your name as the discoverer of the reported vulnerability. In all other cases you remain anonymous.
• If desired, we can make a nomination for inclusion in “the hall of fame” at the IBD.
• We will send you an (automatic) confirmation of receipt within 1 working day and we will keep you informed on the progress of the solution.
• We can offer you a reward as a thank you for your help. Depending on the severity of the security problem and the quality of the report, the reward can vary from a simple 'thank you', a t-shirt or gift voucher.
• If you have found a weak spot in a system of an organization with which the municipality maintains a relationship with its products and/or services, you should first approach the organization itself. If the organization does not respond or does not respond properly, you can inform the IBD. They will take on a role as an intermediary to jointly achieve a result.