Report vulnerability

The municipality attaches great importance to the security of its systems. However, weak spots (vulnerabilities) may still exist. If you discover a weak spot (vulnerability) on the website or in a system of the municipality, please report it. The municipality will review the report and take measures as soon as possible. This method of collaboration is called Coordinated Vulnerability Disclosure (CVD). By making a report, we will adhere to the agreements below.

We ask the following from you:

  • Email your findings to datalek@8ktd.nl. Preferably use our Zivver implementation for encryption and confidentiality.
  • Provide enough information to reproduce the problem so that we can resolve it as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability are sufficient, but more may be needed for more complex vulnerabilities.
  • We welcome any tips that help us solve the problem. Please limit yourself to verifiable facts related to the vulnerability you have identified and avoid advice that is essentially advertising for specific (security) products.
  • Leave your contact details so we can get in touch with you to work together on a safe outcome. Please provide at least one email address or phone number.
  • Please submit the notification as soon as possible after discovering the vulnerability.

The following actions are not permitted:

  • Placing malware, neither on our systems nor on those of others;
  • The so-called "brute-forcing" of access to systems, except to the extent strictly necessary to demonstrate that the security in this area is seriously deficient, that is, if it is extremely easy to crack a password with publicly available and affordable hardware and software with which the system can be seriously compromised;
  • Using social engineering, except when strictly necessary to demonstrate that employees with access to sensitive data generally (seriously) fail in their duty to handle it carefully. This means if it is generally too easy to persuade them to provide such data to unauthorized persons in a completely legal manner (i.e., not through blackmail or similar means). You must exercise all care that can reasonably be expected of you to avoid harming the employees in question. Your findings should be solely aimed at demonstrating obvious flaws in the procedures and working methods, and not at harming individual persons.
  • Disclosing or providing information about the security problem to third parties before it has been resolved;
  • Performing actions that go beyond what is strictly necessary to demonstrate and report the security problem. In particular, when it comes to processing (including viewing or copying) confidential data that you have had access to due to the vulnerability. Instead of copying a complete database, you can normally suffice with, for example, a directory listing. Changing or deleting data in the system is never allowed.
  • Using techniques that reduce the availability and/or usability of the system or services (DDoS attacks);
  • Any form of abuse of vulnerability.

What we promise

  • If you meet all of the above conditions, we will not file a criminal complaint against you, nor will we bring a civil case against you.
  • If it turns out that you have violated any of the above conditions, we may still decide to take legal action against you.
  • We treat reports confidentially and do not share a reporter's personal data with third parties without their permission, unless we are required to do so by law or a court ruling.
  • In mutual consultation, we can, if you wish, mention your name as the discoverer of the reported vulnerability. In all other cases, you will remain anonymous.
  • We will send you an (automatic) confirmation of receipt within 1 week and keep you informed of the progress of the solution.