Responsible disclosure aims to increase the digital resilience among citizens and organisations, and therefore regularly calls attention to topics such as online safety, cybercrime and privacy.

Safety is a very important issue and despite our investments in the security of the website, it may occur that there is a weak spot.

Have you come across a vulnerability? Please let us know as soon as possible, so that we can solve the issue. We always take reports seriously and will investigate any potential security problem.

Please note that this responsible disclosure is not an invitation to extensively check and test the website for vulnerabilities: this is done by us regularly.

We kindly ask you:

  • To e-mail your findings confidentially to [email protected].
  • To include adequate information to trace and/or reproduce the issue. Usually, the IP-adress or URL of the affected system, plus a description of the vulnerability are sufficient. In case of more complex issues, more information may be needed.
  • Not to misuse the problem by, for example, downloading more data than is strictly necessary to prove the leak or weak spot.
  • Not to copy, modify or delete data from the system.
  • Not to share the problem with others until it is resolved.
  • Not to execute ‘brute force’ or ‘denial of service’.
  • To include your contact information (e-mail address and phone number) so that we can contact you for easy cooperation.
  • To delete all confidential data immediately after the problem has been resolved.

Does your report comply with these conditions? Then you may expect the following from us:

  • We will respond within 3 working days with an assessment of the report and an expected date for a solution.
  • We will keep you informed of the process.
  • We will process your report confidentially. We will not share your personal data with third parties, unless necessary to meet legal requirements.
  • A coincidental discovery of a vulnerability in our systems will not lead to legal action.
  • We will mention your name in announcements about the issue, if you wish.
  • To thank you for reporting an issue not yet noted by us, you may be eligible for a reward, provided that your report complies with our conditions and it indeed concerns a security flaw. If several issues are reported by the same person, there is one reward available. If several persons report the same issue, there is only a reward available for the first person to report the issue. The amount of the reward depends on the severity of the issue and the quality of the report, up to a maximum of 300 euros in vouchers.

We gladly cooperate with you to further improve the security of our website. We strive to solve any issues as quickly as possible and we ask you to inform us about any publications about the problem after it is solved.

This responsible disclosure is based on Floor Terra’s text, published under the CC BY 3.0 NL license.