Coordinated Vulnerability Disclosure

We ask that you do the following:

• Mail your findings to security@Beverwijk.nl. If possible, encrypt the findings using our PGP key to prevent the information from falling into the wrong hands.
• Please provide enough information to reproduce the problem so we can resolve the issue as soon as possible. The IP address or URL of the affected system and a description of the vulnerability is usually sufficient, but more may be required for more complex vulnerabilities.
• We welcome tips to help us resolve the problem. Limit the report to verifiable factual information that relates to the vulnerability identified and avoid the advice being effectively advertising specific (security) products.
• Leave at least one email address or phone number so we can get in touch to work together for a safe outcome.
• Submit the report as soon as possible after discovering the vulnerability.

The following is not permitted:

• Placing malware: neither on our systems, nor those of others;
• “Brute forcing” access to systems, except to the extent strictly necessary to demonstrate a serious security deficiency in this area, i.e. if it is very easy to use publicly available and readily affordable hardware and software to crack a password that could seriously compromise the system;
• Using social engineering, except to the extent strictly necessary to demonstrate that employees with access to sensitive data in general are (seriously) failing in their duty to treat it with care. That is, if by otherwise perfectly legal means (i.e. not via blackmail, for example) it is generally too easy to persuade them to provide data to unauthorised persons. All care is then reasonably expected not to harm the employees concerned themselves. Your reports are for the purpose of demonstrating apparent flaws in the procedures and working methods within the Municipality of Beverwijk and not for the purpose of harming individuals employed by the municipality of Beverwijk;
• Disclosing or providing information about the security problem to third parties before it is resolved;
• Taking actions beyond what is strictly necessary to demonstrate and report the security problem. In particular, where this involves processing (including viewing or copying) confidential data to which you have had access due to the vulnerability. Rather than copying an entire database, a directory listing, for example, will normally suffice. Changing or deleting data in the system is never allowed;
• Using techniques that reduce the availability and/or usability of the system or services (DoS attacks);
• Misusing the vulnerability in any (other) way.

What we pledge:

• If all of the above conditions are met, we will neither file criminal charges nor bring a civil case.
• If it turns out that any of the above conditions have nevertheless been violated, we may still decide to take legal action.
• We treat reports confidentially and do not share a reporter’s personal data with third parties without permission, unless we are required to do so by law or court order.
• By mutual agreement, we can, if desired, list your name as the discoverer of the reported vulnerability. In all other cases, you will remain anonymous.
• We will send you a confirmation of receipt within two working days and we will keep you informed about the progress of the solution.
• For a valid report, the reporter will receive an entry in the Hall of Fame in mutual consultation.
• We also like to hear if you have found a weakness in a system. For systems of other owners/managers and or suppliers, that organisation itself will have to be approached in the first instance. If the organisation does not respond or does not respond properly, the Municipality of Beverwijk can take on an intermediary role to find a solution together.