Coordinated Vulnerability Disclosure

Senzer attaches great importance to the security of its systems. Despite all precautions, it remains possible that a vulnerability can be found in the systems. If you discover a vulnerability in one of our systems, we would like to hear from you so that we can take appropriate measures quickly. By making a report, you as reporter declare your agreement with the agreements below regarding Coordinated Vulnerability Disclosure and Senzer will handle your report in accordance with the agreements below. Reports will be received by the Information Security Service (IBD), which will coordinate further communication with Senzer.

 

We ask you:

  • To e-mail your findings to mailto:info@IBDgemeenten.nl. Encrypt your findings if possible with the PGP Key Producten - Informatiebeveiligingsdienst of the IBD to prevent the information falling into the wrong hands.
  • Provide sufficient information to reproduce the problem so that the IBD can solve the problem as quickly as possible. The IP address or the URL of the system affected and a description of the vulnerability is usually sufficient, but more may be needed for more complex vulnerabilities. 
  • Leave your contact details so that the IBD can contact you to cooperate on a safe result. At least, leave an e-mail address or a telephone number. 
  • Report the vulnerability as quickly as possible after its discovery. 
  • Do not share the information on the security problem with others until the problem has been solved.
  • Handle the knowledge on the security problem with care by not performing any acts other than those necessary to reveal the security problem.  


 

Avoid in any case the following acts:

  • installing malware. 
  • copying, changing or deleting data in a system (an alternative to this is making a directory listing of a system). 
  • making changes to a system. 
  • repeatedly accessing the system or sharing access with others. 
  • using so-called “brute force” to access systems. 
  • using denial-of-service 
  • social engineering, except to the extent strictly necessary to show that employees with access to sensitive data are generally (seriously) failing in their duty to treat them with care. That is, if by otherwise perfectly legal means (i.e., not through blackmail or the like) it is generally too easy to persuade them to provide such data to unauthorized persons. In doing so, you should exercise all care that can reasonably be expected of you so as not to harm the employees in question themselves. Your findings should be aimed solely at demonstrating apparent defects in the procedures and working methods within Senzer and not at harming individual persons employed by Senzer. 


 

What you can expect:

  • If you comply with all of the above conditions, we will not file criminal charges against you or bring a civil case against you.  
  • If you are found to have violated any of the above conditions, we may still decide to take legal action against you.  
  • We will treat a report confidentially and will not share a reporter's personal information with third parties without their permission, unless we are required to do so by law or court order. 
  • By mutual agreement, if you wish, we may include your name as the discoverer of the reported vulnerability. In all other cases, you will remain anonymous. 
  • We will send you an (automatic) confirmation of receipt within 1 business day. 
  • We respond to a report within 3 business days with an (initial) assessment of the report and possibly an expected date for resolution. 
  • We solve the security problem you reported as soon as possible. We strive to keep you well informed of the progress and never take longer than 90 days to solve the problem. We are often dependent on suppliers.  
  • It can be determined by mutual agreement whether and how the problem will be published after it has been solved. 
  • We can offer you a reward as a thank you for the help. Depending on the seriousness of the security problem and the quality of the report, this reward may vary from a simple "thank you" to an amount of up to 300 euros. This must be for an unknown and serious security problem.