Coordinated Vulnerable Disclosure (English)

Provincie Zuid-Holland prioritizes the security of its systems. Despite every precaution being taken, it is still possible that a weakness may be found in the systems. If you discover a weakness in one of our systems, please let us know, so that we can swiftly take appropriate action. By disclosing a vulnerability, you are the disclosing party and declare that you accept the below agreements concerning the Coordinated Vulnerability Disclosure, and Provincie Zuid-Holland will process your disclosure in accordance with the below agreements.

We ask you to do the following:

• E-mail your findings to informatieveiligheid@pzh.nl
• Use of a pgp-key is optional. You can find Zuid-Hollands public key on op www.zuid-holland.nl/.well-known/pgp-key.txt
• Provide enough information to reproduce the problem, so that we can resolve it swiftly. Usually, the IP address or the URL of the system affected and a description of the vulnerability is sufficient, but in more complex vulnerabilities, more may be needed.
• We welcome any tips that will help us to resolve the issue. Please only provide verifiable facts concerning the vulnerability you have detected, and avoid giving advice which, in reality, amounts to advertising for specific security or other products.
• Provide contact details, so that we can get in touch with you to work together to restore security. As a minimum, provide an e-mail address or telephone number.
• Please submit the disclosure as soon as possible after discovering the vulnerability.

The following actions are not permitted

• Placing malware on our systems or those of others.
• Performing brute-force attacks to gain access to a system, except to the extent that this is strictly necessary to prove that security measures in this area are seriously deficient, meaning it is exceptionally easy to retrieve passwords using openly available and affordable hardware and/or software that can seriously compromise the system.
• Using social engineering
• Disclosing information about the security problem, or sharing such information with third parties, before the problem has been resolved.
• Doing anything more than is strictly necessary in order to flag and report the security issue. This applies in particular to processing (including viewing or copying) confidential data to which you gained access as a result of the vulnerability. Rather than copying an entire database, a directory listing, for instance, will normally suffice. Modifying or deleting data in the system is never permitted.
• Using techniques which impede the availability and/or usability of the system or services (DDoS and DoS attacks).
• Abusing the vulnerability in any way whatsoever.

What you can expect

• If you satisfy all the above conditions, we will not bring criminal proceedings or initiate a civil case against you.
• Should it become apparent that you have violated any of the above conditions, we may decide to take proceedings against you.
• We handle disclosures in confidence and do not share a disclosing party's data with third parties without his or her consent, unless we are required by law or a court ruling to do so.
• We may share disclosures received with other Dutch governmental partners to improve the security posture of Dutch governmental organizations.
• If you wish, we may agree to disclose your name as the person who discovered the reported vulnerability. In all other cases, you will remain anonymous.
• We will send you an automated acknowledgement of receipt.
• We respond to disclosures within 5 working days, with an assessment, or preliminary assessment, of the disclosure and, if appropriate, the date by which we expect to resolve the issue.
• We may agree with you whether, and when, the problem will be notified to the public, once it has been resolved.