Report a vulnerability (CVD)

Listen

Have you discovered a flaw or weakness in a website or IT system belonging to the municipality? Please report it. The municipality can then investigate the problem and resolve it as quickly as possible. This will help the municipality to protect its data and systems even better. This way of working together is known as Coordinated Vulnerability Disclosure (CVD).

The municipality secures the data in its websites and IT systems with great care. Nevertheless, they may still contain weaknesses. Computer criminals can exploit these vulnerabilities. They do this by breaking into the system and changing or stealing data for criminal activities. If you report these weaknesses, you are helping the municipality to keep its data safe.

Report a vulnerability

  • Report the weakness you discovered as quickly as possible using Zerocopter.
Report a vulnerability

Please note

  • If you make the report anonymously, the municipality cannot contact you.
  • Provide enough information so that the municipality can investigate (reproduce) the problem and resolve it as quickly as possible. Usually the IP address or the URL of the affected system and a description of the issue is enough. Additional information is often needed for more complex vulnerabilities.
  • Do not exploit the vulnerability. Do not view the information of other people. Also do not delete or modify the data of other people. If you download data, do not download more than is strictly necessary to show the weak spot.
  • Do not share the vulnerability with other people until the municipality has resolved it.
  • Delete all confidential data which you have downloaded once the municipality has resolved the problem. Do not share any of this data with other people.
  • Do not use:
    • technologies which will put the municipality’s services at risk
    • attacks on physical security, such as turnstiles and locks
    • psychological manipulation (social engineering)
    • attacks which use large numbers of login attempts (brute-force attacks)
    • spam

After your report

The municipality:

  • will respond to your report within 10 working days with an assessment and an expected timeframe for a solution.
  • will inform you about the progress in resolving the vulnerability.
  • will not take any legal steps against you for reporting the issue if you have complied with the conditions above.
  • will treat your report with confidentiality. It will not share your personal details with third parties without your consent, unless it is legally required to do so. You are allowed to make the report using a pseudonym.
  • may offer you a reward as a token of gratitude. The municipality will decide this on a case by case basis. The size of the reward depends primarily on the seriousness of the vulnerability and the quality of your report.

The municipality will try to resolve any vulnerabilities as quickly as possible and to inform all parties involved. The municipality would like to be informed of any plans to publish resolved vulnerabilities.

This text is based on a text by Floor Terra. The text is available at responsibledisclosure.nl/en and shared under a Begin external link: Creative Commons Attribution 3.0 Unported license(External link), end external link..

Also see Hâck The Hague

Published: 17 August 2021

Modified: 30 December 2024

Contact

How can we help?

Chat

Phone

070 353 30 00

More options

To contact page