Coordinated Vulnerability Disclosure

Senzer attaches great importance to the security of its systems. Despite all precautions, it remains possible that a vulnerability can be found in the systems. If you discover a vulnerability in one of our systems, we would like to hear from you so that we can take appropriate measures quickly. By making a report, you as reporter declare your agreement with the agreements below regarding Coordinated Vulnerability Disclosure and Senzer will handle your report in accordance with the agreements below. Reports will be received by the Information Security Service (IBD), which will coordinate further communication with Senzer.

 

Which assets are in scope? 

In principle, all assets (websites, domains, IP addresses) associated with Senzer are in scope. Senzer also collaborates with other organizations. Listing all assets would make it difficult to maintain this statement.

The following assets are in scope: 

  • *.senzer.nl 
  • *.senzervoorjou.nl

Senzer also maintains close ties with many local organizations. However, these organizations are not part of Senzer. Therefore, Senzer is not directly responsible for the security of their IT systems. The following assets are out of scope: 

  • *.leer-en-werkmarkt.nl 
  • *.wsphelmond-depeel.nl

Do you believe you have identified an asset related to Senzer that is not mentioned above? Please indicate in your report why you think that asset belongs to Senzer. 

 

Which vulnerabilities are in scope? 

In principle, all types of vulnerabilities are in scope as long as they impact the security of Senzer’s services. The privacy of our customers is also included.

Senzer is constantly working to improve the security mindset surrounding its IT services. This means that implementing certain best practices is part of larger projects.

Please do not report vulnerabilities that only demonstrate the presence of the following issues, as they are out of scope: 

  • Missing security and privacy headers, as indicated by the OWASP Secure Headers Project. 
  • Clickjacking (as a result of the previous point). 
  • Missing SPF, DMARC, DKIM configuration. 
  • Missing SSHFP and TLSA records. 
  • Absence of CAA records. 
  • Lack of noticeable protection against brute force attacks on login forms. 

Senzer occasionally receives reports of issues that have only theoretical impact. Senzer has decided that the risk of these problems is too low to spend time resolving them. Without compelling evidence of an exploitable vulnerability, we do not handle or reward reports of the following types of vulnerabilities: 

  • Missing Cache-Control header.
  • Outdated software components.
  • Disclosure of software component versions (exception: debug pages and phpinfo() pages are in scope). 
  • Text injection on 404 pages. 
  • TLS configuration issues of SMTP servers.

 

We ask you:

  • Report the vulnerability you have discovered as soon as possible via incident@IBDgemeenten.nl. Encrypt your findings if possible with the PGP Key Producten - Informatiebeveiligingsdienst of the IBD to prevent the information falling into the wrong hands. 
  • Note: If you report anonymously, Senzer cannot contact you. 
  • Provide sufficient information to reproduce the issue, so that we can resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability are sufficient, but for more complex vulnerabilities, additional details may be needed.
  • Do not misuse the vulnerability. For example, do not access others’ data. Also, do not alter or delete others’ data. If you download data, only download what is necessary to demonstrate the vulnerability. 
  • We appreciate tips that help us address the problem. Please focus on verifiable facts related to the vulnerability you have identified and avoid advice that amounts to advertising specific (security) products. 
  • Leave contact information so that we can collaborate with you to achieve a secure outcome. Please provide at least one email address or phone number. 
  • Submit the report promptly upon discovering the vulnerability.  


 Avoid in any case the following acts:

  • Installing malware: Neither on our systems nor on those of others.
  • Brute-forcing access to systems.
  • Using social engineering: Except to the extent strictly necessary to demonstrate that employees with access to sensitive data generally (seriously) fail in their duty to handle it with care. That is, if it is generally too easy to persuade them to provide such data to unauthorized persons by otherwise perfectly legal means (i.e., not through blackmail or the like). In doing so, you should exercise all the care that can reasonably be expected of you so as not to harm the employees themselves. Your findings should be aimed solely at demonstrating apparent defects in the procedures and working methods within Senzer and not at harming individual persons employed by Senzer.
  • Disclosing information about the security problem to the public or third parties before the problem has been resolved.
  • Performing actions that go beyond what is strictly necessary to demonstrate and report the security problem. In particular, when it comes to processing (including viewing or copying) confidential data that you have had access to due to the vulnerability. Instead of copying a complete database, you can usually suffice with, for example, a directory listing. Modifying or deleting data in the system is never allowed.
  • Using techniques that reduce the availability and/or usability of the system or services (DoS attacks).
  • Exploiting the vulnerability in any other way.


 What you can expect:

  • If you comply with all of the above conditions, we will not file criminal charges against you or initiate a civil case against you.
  • If it turns out that you have violated any of the above conditions, we may still decide to take legal action against you.
  • We treat a report confidentially and will not share a reporter’s personal information with third parties without their permission, unless we are legally or by court order required to do so.
  • By mutual agreement, if you wish, we may mention your name as the discoverer of the reported vulnerability. In all other cases, you will remain anonymous.
  • We will send you an (automatic) confirmation of receipt within 1 business day.
  • We will respond to a report within 3 business days with an (initial) assessment of the report and possibly an expected date for resolution.
  • We will resolve the security issue you reported as quickly as possible. We aim to keep you well informed of the progress and never take longer than 90 days to resolve the problem. We are often dependent on suppliers in this process.
  • By mutual agreement, it can be determined whether and how the problem will be published after it has been resolved.
  • We can offer you a reward as a thank you for the help. Depending on the seriousness of the security issue and the quality of the report, this reward may vary from a simple ‘thank you’ to an amount of up to 300 euros. This must be for an unknown and serious security issue.