Responsible Disclosure (English)
The municipality of Edam-Volendam attaches great importance to the security of its systems. Despite all precautionary measures, it is possible that a weak spot can be found in the systems. If you discover a weak spot in one of our systems, we would like to hear from you so that we can quickly take appropriate measures.
Vulnerabilities in ICT systems of Edam-Volendam
If you have found a weak spot in one of the ICT systems of the municipality of Edam-Volendam, the municipality of Edam-Volendam would like to hear about this from you, so the necessary measures can be taken as quickly as possible to rectify the vulnerability. To deal with the vulnerabilities in the municipality of Edam-Volendam ICT systems responsibly, we propose several agreements. You may hold the municipality of Edam-Volendam to this when you discover a weak spot in one of our systems.
The municipality of Edam-Volendam asks you:
- To e-mail your findings to PIB@Edam-Volendam.nl. Encrypt your findings if possible with the PGP-key of the municipality of Edam-Volendam to prevent the information falling into the wrong hands.
- Provide sufficient information to reproduce the problem so that the municipality of Edam-Volendam can solve the problem as quickly as possible. The IP address or the URL of the system affected and a description of the vulnerability is usually sufficient, but more may be needed for more complex vulnerabilities.
- Leave your contact details so that the municipality of Edam-Volendam can contact you to cooperate on a safe result. At least, leave an e-mail address or a telephone number.
- Report the vulnerability as quickly as possible after its discovery.
- Do not share the information on the security problem with others until the problem has been solved.
- Handle the knowledge on the security problem with care by not performing any acts other than those necessary to reveal the security problem
Avoid in any case the following acts:
- installing malware.
- copying, changing or deleting data in a system (an alternative to this is making a directory listing of a system).
- making changes to a system.
- repeatedly accessing the system or sharing access with others.
- using so-called “brute force” to access systems.
- using denial-of-service or social engineering.
What you can expect:
- If you comply with the conditions above when reporting the observed vulnerability in an ICT system of the municipality of Edam-Volendam, the municipality of Edam-Volendam will not attach any legal consequences to this report.
- The municipality of Edam-Volendam handles a report confidentially and does not share personal details with third parties without permission from the reporter, unless this is mandatory by virtue of a judicial decision.
- In mutual consultation, the municipality of Edam-Volendam can, if you desire, mention your name as the discoverer of the reported vulnerability in our Hall of Fame.
- The municipality of Edam-Volendam will send you a confirmation of receipt within one working day.
- The municipality of Edam-Volendam responds ASAP to a report with an assessment of the report and an expected date for a solution.
- The municipality of Edam-Volendam keeps the reporter up-to-date on the progress made with solving the problem.
- The municipality of Edam-Volendam solves the security problems observed by you in a system as quickly as possible, but no later than within 60 days. In mutual consultation, whether and in what way the problem will be published, after it has been solved, is determined.
- The municipality of Edam-Volendam offers a small token of appreciation for serious problems.
- By mutual agreement we can mention your name as the discoverer of the reported vulnerability in our "Hall Of Fame" and if you wish, we place a reference to your portfolio.