Have you discovered a vulnerability?
Please email the following information to email@example.com:
- Your contact details (in case we have any questions), so name, organisation, mailaddress and phonenumber.
- Whether you want to be made public.
- Description of the vulnerability.
- Which system configurations do you think are vulnerable?
- How did you find the vulnerability? Mention any specific tools or techniques.
- Do you think the vulnerability is being exploited?
- Include any related files and CERT TRacking IDs in the mail.
How can we work together to ensure secure systems?
We ask you:
- not to exploit vulnerabilities by, for example, downloading more data than is necessary to demonstrate the vulnerability, and use extra caution when it comes to personal data: do not access, delete or modify any third-party data;
- not to share vulnerabilities with others until they are resolved and delete all confidential data obtained through vulnerabilities as soon as possible;
- not to use attacks on physical security or third-party applications, social engineering, distributed denial-of-service or spam;
- to provide sufficient information to reproduce the vulnerability so that we can resolve it quickly. Usually, an IP address or URL of the affected system and a description of the vulnerability are sufficient, but more may be required for more complex vulnerabilities.
- to email your findings as soon as possible to firstname.lastname@example.org ; preferably encrypt your findings with our PGP key.
- to respond to your report within three days with our assessment and an expected date for a solution;
- to treat your report as confidential and we will not share your personal data with third parties without your consent unless this is necessary to comply with a legal obligation;
- if you want to, to keep you informed of the progress in resolving the issue;
- include your name as the discoverer of the vulnerability in any communications about the reported problem, if you so choose;
- that it is possible to report anonymously or under a pseudonym. It is important for you to know that this does mean we will not be able to contact you about the next steps, the progress of the remediation of the leak, publication or a possible reward for the report;
- to offer a reward for your help, for every first report of a vulnerability that is still unknown to us. The size of the reward will be determined by the severity of the vulnerability and the quality of the report, and will vary from an honourable mention to a gift.
- to strive to resolve reported problems as quickly as possible. We are happy to be involved in any publication about the problem after it has been solved.
Definitions: What is a vulnerability and CVD?
A vulnerability is a property of a society, organisation or information system or a component thereof that impairs the resilience of this entity. A vulnerability provides an opportunity for a malicious party to inflict damage because the protection against damage is inadequate. For example, a malicious party may be able to prevent and influence legitimate access to information or functionality or gain unauthorised access. Vulnerabilities are the 'gateways' through which threats can lead to incidents. Resolving vulnerabilities is a direct way of reducing threats and reducing the chance of incidents. (Source: NCSC)
Coordinated Vulnerability Disclosure
Responsible Disclosure or Coordinated Vulnerability Disclosure is the disclosure of ICT vulnerabilities in a responsible manner and in collaboration between the notifier and the organisation, based on a policy drawn up by organisations for this purpose.