Responsible Vulnerability Disclosure

This page is part of MBO Digitaal and is a service for the participating secondary Vocational Education and Training (VET) in the Netherlands.

Despite our security efforts, a weakness could occur in one of the colleges systems. If you have found a weakness, we would like to hear about it so that we can take appropriate measures as quickly as possible. We are keen to cooperate with you to protect users and systems better. The Responsible disclosure procedure describes how to report a detected vulnerability. This statement applies to the VET colleges that participate in this.

A responsible disclosure can be reported using the email address cvd@surfcert.nl. In case of sensitive information, encrypt your findings with our PGP key to prevent the information from falling into the wrong hands. SURFcert is the sectoral CERT for the National Research and Educational Networks (NREN) in the Netherlands. Reports must be clear and contain the steps necessary to reproduce the vulnerability. The steps need to be in the body of the message. This Responsible Disclosure Policy is not an invitation to actively scan our network or our systems for weaknesses. We actively monitor our networks. Therefore, we are likely to pick up your scan, which our Computer Emergency Response Team (CERT) will investigate, and which will possibly lead to unnecessary costs.

Request to you

  • Before reporting your finding, please check if the finding is not listed in the Out of scope list.
  • Do not abuse the found vulnerability, for example:
    • downloading more data than necessary
    • changing or removing data
  • Be extra cautious with personal data.
  • Do not share the vulnerability with others until it is resolved.
  • Do not test the physical security or third-party application, social engineering techniques, (distributed) denial-of-service, malware, or spam.
  • Describe the issue found as explicitly and in detail as possible, and provide any evidence you might have. Be assured that your notifications will be received by specialists.
  • Do provide sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability is sufficient, but complex vulnerabilities may require further explanation.

What we promise

  • We will respond to your report within 5 business days with our evaluation of the report and an expected resolution date. It makes no sense to inquire about progress earlier or ask for updates.
  • We will keep you informed of the progress towards resolving the problem.
  • You can report anonymously or under a pseudonym. In this case, however, we will not be able to contact you for things such as follow-up steps, progress of resolving the issue, publication or any reward for reporting.
  • If you wish, we will mention your name as a vulnerability discoverer in the weakness report.
  • We may give you a reward for your research but are not obliged to do so. You are, therefore, not automatically entitled to a reimbursement. The form of this reward is not fixed in advance and is determined by us on a case-by-case basis. Whether to give a reward and in which form depends on the care taken in your investigation, the quality of the report and the seriousness of the leak.
  • We want to thank everybody who reported a vulnerability in a responsible way in our Hall of Fame.
  • We strive to solve all problems as quickly as possible and keep all parties involved informed. We will be glad to be involved in any publication about the weakness after it has been resolved.
  • During your investigation it could be possible that you take actions that are prohibited by law. If you follow the conditions given in this agreement, we will not take legal action against you. However, the Public Prosecutor always has the right to decide whether or not to prosecute you.