Responsible Disclose (English)
Meerinzicht considers the security of the systems of importance. Despite the great care we take regarding security, weak points can still remain. If you have found such a weakness, we would like to hear about it as soon as possible so that we can take appropriate measures as quickly as possible.
Weak points can be discovered in two ways: you can accidently come upon something during the normal use of a digital environment, or you can explicitly do your best to find them. Our responsible disclosure policy is not an invitation to actively scan our business network to discover weak points.
By making a report, you declare that you agree with the following agreements about Responsible Disclosure and Meerinzicht will handle your findings in accordance with the following agreements.
- To e-mail your findings to firstname.lastname@example.org.
- Provide sufficient information to reproduce the problem so that we can solve the problem as quickly as possible. The IP address or the URL of the system affected and a description of the vulnerability is usually sufficient, but more may be needed for more complex vulnerabilities
- We are committed to tips that help us to solve the problem. You should, however, like to limit yourself to verifiable facts that relate to the vulnerability you have identified and avoid that your advice in fact amounts to advertising for specific (security) products
- Leave your contact details so that the IBD can contact you to cooperate on a safe result.
- At least, leave an e-mail address or a telephone number.
- Report the vulnerability as quickly as possible after its discovery.
- Installing malware.
- Using so-called “brute force” to access systems.
- The use of social engineering, except insofar as this is strictly necessary to demonstrate that employees with access to sensitive data generally (seriously) fall short in their duty to deal with them carefully. In other words, if it is otherwise perfectly legal (ie not through blackmail or the like), it is generally too simple to persuade them to provide such data to unauthorized persons. You must exercise all due care that can reasonably be expected of you not to harm the relevant employees themselves. Your findings should only focus on the demonstration of obvious defects in the procedures and working methods within the municipality and not on the harm of individual persons working at the municipality.
- Do not share the information on the security problem with others until the problem has been solved.
- Performing actions that go beyond what is strictly necessary to demonstrate and report the security problem. Especially when it comes to processing (including viewing or copying) confidential data that you have accessed through the vulnerability.
- Instead of copying a complete database, you can normally suffice with, for example, a directory listing. Changing or deleting data in the system is never permitted.
- Using denial-of-service or social engineering.
- Abuse the vulnerability in any other way.
- If you comply with the conditions above when reporting the observed vulnerability in an ICT system of Meerinzicht, we will not attach any legal consequences to this report.
- If it appears that you have violated an above condition, we can still decide to take legal action against you.
- The IBD handles a report confidentially and does not share personal details with third parties without permission from the reporter, unless this is mandatory by virtue of a judicial decision.
- We always share the received report with the Municipal Information Security Service (IBD). This way we ensure that municipalities share their experiences in this area.
- In mutual consultation we can, if you wish, mention your name as the discoverer of the reported vulnerability. In all other cases, you remain anonymous
- We will send you an (automatic) confirmation of receipt within 1 working day.
- We respond within 5 working days to a report with a (first) assessment of the report and possibly an expected date for a solution.
- We solve the security problem that you reported as quickly as possible. In doing so, we strive to keep you well informed of the progress and never do more than 90 days to solve the problem. We are often partly dependent on suppliers.
- It can be determined in mutual consultation whether and how the problem will be published after it has been resolved.
- We can offer you a “thank you”, depending on the nature and circumstances. This must be a still unknown and serious security problem.
We strive to solve all problems as quickly as possible, keep all parties involved informed and we are happy to be involved in any publication about the problem after it has been resolved.