Report vulnerability

The municipality attaches great importance to the security of its systems. Nevertheless, it is possible that weaknesses (vulnerabilities) exist. Do you discover a weakness (vulnerability) on the website or in a system of the municipality? Please report it. The municipality will review the report and take action as soon as possible. This method of cooperation is called Coordinated Vulnerability Disclosure (CVD). By making a report, we will abide by the agreements below.

We ask the following of you

  • Email your findings to datalek@8ktd.nl. Preferably use our Zivver implementation for encryption and confidentiality.
  • Please provide enough information to reproduce the problem so that we can resolve it as soon as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be required for more complex vulnerabilities.
  • We welcome tips to help us solve the problem. However, please limit your tips to verifiable facts related to the vulnerability you have identified and avoid that your advice actually amounts to advertising specific (security) products.
  • Please leave contact information so we can get in touch with you to work together for a safe outcome. Please leave at least one email address or phone number.
  • Please submit the report as soon as possible after discovering the vulnerability.

The following actions are not permitted

  • Placing malware, neither on our systems nor those of others;
  • The so-called "bruteforcing" of access to systems, except to the extent strictly necessary to demonstrate a serious security deficiency in this area, that is, if it is extraordinarily easy to use publicly available and readily affordable hardware and software to crack a password that could seriously compromise the system;
  • Using social engineering except to the extent strictly necessary to demonstrate that employees with access to sensitive data are generally (seriously) failing in their duty to treat it with care. That is, if by otherwise perfectly legal means (i.e. not through blackmail or the like) it is generally too easy to persuade them to provide such data to unauthorized persons. In doing so, you should exercise all care that can reasonably be expected of you so as not to harm the employees in question themselves. Your findings should be aimed only at demonstrating apparent flaws in procedures and practices and not at harming individuals;
  • Disclosing or providing to third parties information about the security problem before it is resolved;
  • Taking actions beyond what is strictly necessary to demonstrate and report the security problem. Particularly where it involves processing (including viewing or copying) confidential data to which you have had access due to the vulnerability. Instead of copying an entire database, you can normally suffice with, for example, a directory listing. Changing or deleting data in the system is never permitted;
  • Using techniques that reduce the availability and/or usability of the system or services (DDoS attacks);
  • Misusing the vulnerability in any (other) way.

What we promise

  • If you meet all of the above conditions, we will not file criminal charges against you or bring a civil case against you.
  • If it turns out that you did violate any of the above conditions, we may still decide to take legal action against you.
  • We treat a report confidentially and do not share a reporter's personal information with third parties without their permission, unless we are required to do so by law or court order.
  • By mutual agreement, if you wish, we may include your name as the discoverer of the reported vulnerability. In all other cases, you will remain anonymous.
  • We will send you an (automatic) confirmation of receipt within 1 week and we will keep you informed about the progress of the solution.