Coordinated Vulnerability Disclosure municipal website

 

    Coordinated Vulnerability Disclosure 

    Our municipality of Kerkrade attaches great importance to the security of its systems. Despite all precautions, it remains possible that a weakness in the systems can be found. If you discover a vulnerability in one of our systems, we would like to hear from you so that we can take appropriate action quickly. By making a report, you, as reporter, agree to the agreements below regarding the Coordinated Vulnerability Disclosure, and the municipality of Kerkrade will handle your report in accordance with the agreements below.

    We ask the following of you:

    • Email your findings to gemeentehuis@kerkrade.nl If possible, encrypt the findings with WinZip or 7-Zip to prevent the information from falling into the wrong hands.
    • Please provide enough information to reproduce the problem so that we can resolve it as soon as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be required for more complex vulnerabilities.
    • We welcome tips to help us solve the problem. Please do limit your tips to verifiable factual information related to the vulnerability you have identified and avoid that your advice actually amounts to advertising specific (security) products.
    • Please leave contact information so we can get in touch with you to work together for a safe outcome. Please leave at least one email address or phone number.
    • Please submit the report as soon as possible after discovery of the vulnerability.

    The following actions are not permitted:

    • Placing malware, neither on our systems nor on those of others.
    • The so-called "bruteforcing" of access to systems.
    • Using social engineering.
    • Disclosing or providing information about the security problem to third parties before the problem is resolved.
    • Taking actions beyond what is strictly necessary to demonstrate and report the security problem. Particularly where this involves processing (including viewing or copying) confidential data to which you have had access due to the vulnerability. Instead of copying an entire database, you can normally suffice with, for example, a directory listing. Changing or deleting data in the system is never permitted.
    • Using techniques that reduce the availability and/or usability of the system or services (DoS attacks).
    • Misusing the vulnerability in any (other) way.

    What to expect:

    • If you meet all of the above Requirements , we will not file criminal charges against you, nor will we bring a civil case against you.
    • If it turns out that you did violate any of the above conditions, we may still decide to take legal action against you.
    • We treat a report confidentially and do not share a reporter's personal information with third parties without their permission, unless we are required to do so by law or court order.
    • We always share the received report with the Information Security Service for Municipalities (IBD). In this way, we ensure that municipalities share their experiences in this area.
    • By mutual agreement, if you wish, we may include your name as the discoverer of the reported vulnerability. In all other cases, you will remain anonymous.
    • We respond to a report within 5 business days with an (initial) assessment of the report and possibly an expected date for resolution.
    • We will resolve the security issue you reported as quickly as possible. We strive to keep you well informed of the progress and never take longer than 90 days to solve the problem. However, we are often partly dependent on suppliers.
    • It can be mutually agreed whether and how to publish about the problem after it is resolved.