Reporting vulnerabilities / Responsible disclosure / Coordinated Vulnerability Disclosure (CVD)
De Connectie considers (digital) security important. Have you seen or found a vulnerability? Report it! View the procedure: Coordinated Vulnerability Disclosure.
Coordinated Vulnerability Disclosure
De Connectie is a partnership between the municipalities of Arnhem, Renkum and Rheden. Together, these three municipalities are the owners of De Connectie.
De Connectie focuses on the operational management of and for the municipalities, so that they can fully focus on their residents and businesses. In addition, De Connectie also provides a number of products and services to other organizations, namely: ODRA, the Arnhem social district teams, West Veluwe Valley Safety House and Arnhem region, Overbetuwe and the municipality of Rozendaal.
De Connectie believes it is essential that its IT systems are secure and strives for the highest possible security. Nevertheless, it can always happen that there is a weakness in one of these systems.
Vulnerabilities in IT systems of De Connectie
If you have found a weak spot in one of De Connectie's IT systems, we would like to hear from you. In this way we are able to take measures as quickly as possible to remedy the vulnerability found. In order to be able to deal with the vulnerabilities found in our IT systems in a responsible manner, there are agreements that you can keep to us.
De Connectie asks you:
- E-mail your findings to firstname.lastname@example.org and / or upload via https://securetransfer.connect... to prevent the information from falling into the wrong hands.
- Provide sufficient information to reproduce the problem so that De Connectie can solve the problem as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may of course require more information.
- Leave contact details so that De Connectie can contact you to work together to achieve a safe result. Leave at least one e-mail address or telephone number.
- Make the report as soon as possible after discovery of the vulnerability.
- Do not share the information about the security issue with others until it is resolved.
- Act responsibly in dealing with the knowledge of the security issue by not performing any actions that go beyond what is necessary to demonstrate the security issue.
Therefore, at least avoid the following actions:
- Placing malware.
- Copying, changing or deleting data in a system (an alternative is to make a directory listing of a system).
- Making changes to the system.
- Repeated access to the system or sharing access with others.
- Using the so-called "gross force" of access to systems.
- Making use of denial-of-service attacks (DDoS) or social engineering.
- What you can expect from us:
- If you meet the above conditions when reporting, De Connectie will not take legal measures.
- De Connectie treats a report confidentially, and does not share personal information with third parties without the consent of the reporter, unless this is required by law or pursuant to a court decision.
- In mutual consultation, De Connectie can, if you wish, state your name as the discoverer of the reported vulnerability.
- De Connectie will send you a confirmation within one working day.
- De Connectie responds within three working days to a report with the assessment of the report and an expected date for a solution.
- De Connectie keeps the notifier informed of the progress in solving the problem.
- De Connectie solves the security problem that you have discovered in a system as quickly as possible, but no later than within 60 days. In mutual consultation it can be determined whether and how the problem will be published after it has been resolved.
- De Connectie offers a reward as a thank you for the help. Depending on the seriousness of the security problem and the quality of the report, that reward can vary from a T-shirt to a maximum of 300 euros in gift vouchers. The problem found must be an unknown and serious security issue for De Connectie.
Vulnerabilities in third-party IT systems
If you have found a weakness in a government system or in a system with a vital function, you can contact the National Cyber Security Center (NCSC). For systems from other owners / managers and / or suppliers you must first approach those organizations yourself. If the organization does not respond or does not respond well, you can inform the NCSC. The NCSC will take on a role as an intermediary in order to achieve a joint result.
For more information, please visit: https://www.ncsc.nl/actueel/leidraad-coordinated-vulnerability-disclosure.html
For notifications about third-party systems:
- The NCSC responds to a report within three working days by contacting the owner and giving you a response.
- The owner is primarily responsible for keeping the reporter informed of the progress of the problem.
- The NCSC will assist the owner with advice so that the security problem can be solved as quickly as possible.
- Ask the NCSC to provide us with information about whether and how there has already been contact with the organization.