Our dependence on digital infrastructure and data has only grown in recent years. This is true of society as a whole, and it is the case for us as well. We believe that governments and organisations should therefore focus strongly on the security of digital infrastructure.
We are aware of the possibility of a vulnerability in the security of our systems, despite our best intentions and vigilance. If you discover a weakness in any of our systems, please let us know. This will enable us to rectify the problem. There are two ways to discover a vulnerability: you can stumble on a weakness accidentally while using the digital environment in a routine way, or you make a targeted effort to find a one. Our responsible disclosure policy is not an invitation to actively scan our corporate network for vulnerabilities. We monitor our website ourselves.
Consequently, it is likely that we would spot such a scan, have it investigated by our Security Operation Centre (SOC), which may result in unnecessary costs. We would like to work with you to better protect researchers and our systems.
What do we ask of you?
- If you are investigating a vulnerability in one of our systems, keep in mind the proportionality of the attack. You do not have to demonstrate that if you launch the largest DDoS attack in the history of the internet on our website, we will be down for a while. We know that. This proportionality also applies to demonstrating the vulnerability itself. Do not examine or change more data than is strictly necessary to demonstrate the vulnerability. For example, if you change our front page, add a non-controversial word somewhere, rather than copying the entire page. If you access a database, a list of the tables or the first line from one of the tables will suffice.
- Do not abuse the vulnerability by downloading, changing or deleting data, for example. We will always take your report seriously and will investigate any suspected vulnerability, even without ‘proof’.
- Delete any confidential data obtained during your investigation right after we have fixed the vulnerability.
- Do not share the problem with others until it is resolved.
- Do not use physical security attacks, social engineering or hacking tools, such as vulnerability scanners.
- Please provide us with sufficient information to reproduce the problem so we can fix it as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability will suffice, but more may be required with more complex vulnerabilities.
What we will do
- We will respond in substance to your report within five working days and provide an estimate of how long it will take to resolve the problem. Of course, we will continue to provide you with regular updates on our progress in resolving the issue.
- We will fix the vulnerability as quickly as possible. Again, proportionality is important: the time frame for resolving a vulnerability depends on several factors, including the severity and complexity of the vulnerability.
- We will treat your report confidentially and will not share your personal data with third parties without your consent. An exception to this is if a report needs to be filed to the police or judicial authorities or if they request data.
- Unfortunately, it is not possible to rule out legal action against you in advance. We want to be able to assess each situation individually. NWO will take legal action if we suspect that the vulnerability or data are being misused, or that you have shared knowledge of the vulnerability with others. We can guarantee that an accidental discovery in our online environment will not result in a report.
- We believe it is important to give you the credit you deserve – and want. We will only mention your name when we publish the vulnerability with your consent.
- To thank you for your help, we will offer a reward for every report of a security breach that is not already known to us. We will determine the size of the reward based on the severity of the leak and the quality of the report.
- If you find a vulnerability in the software that we use, but which was made by a third party, and that vulnerability is covered by a bug bounty program, then any reward will obviously be yours.
We aim to resolve all issues as quickly as possible, keep all parties informed, and we are keen to be involved in any publication about the issue once is has been resolved.
Please report a vulnerability in one of our systems as soon as possible by sending an email to security@nwo.nl. Preferably send the report encrypted using OpenPGP. Include sufficient information to allow us to reproduce and investigate the problem.