Report vulnerability (CVD)
The municipality of Zwolle considers the security of its systems very important. Despite all precautions, it is still possible that a weak spot can be found in the systems. Have you discovered a weak spot in one of our systems? We would like to hear from you. Then we can quickly take appropriate measures. This way of working together is called Coordinated Vulnerability Disclosure (CVD).
The fact that the municipality of Zwolle has a Coordinated Vulnerability Disclosure policy is not an invitation to extensively and actively scan our company network for vulnerabilities. We monitor our company network ourselves. If you are investigating a vulnerability in one of our systems, consider the proportionality of the attack.
By submitting a report, you agree to the agreements below about the Coordinated Vulnerability Disclosure. The municipality of Zwolle will process your report in accordance with the agreements below.
E-mail your findings to firstname.lastname@example.org. If possible, encrypt the findings using Zivver. Or send the report by secure mail. This prevents information falling into the wrong hands. Submit the report as soon as possible after discovering the vulnerability.
We need at least the following information from you:
- Leave your details so we can contact you. Be sure to leave an e-mail address or telephone number.
- Provide sufficient information to reproduce the problem. We can then solve it as soon as possible. Usually you only need to send us the IP address or URL of the affected system and a description. For an extensive vulnerability, more information may be required. For example, a Proof of Concept.
- You delete all confidential information obtained in your investigation. You do this immediately after we have resolved the weakness.
- We always appreciate help in solving a problem. Provide information about the vulnerability that we can check. Avoid giving advice that amounts to advertising other (security) products.
- Do not abuse the vulnerability by, for example:
- Downloading more data than necessary to demonstrate the vulnerability.
- Changing or deleting data.
The following actions are not permitted:
- You may not place malware on our systems. Nor on those of others.
- You may not “brute force” access to the system. This is only permitted if there is no other option. For example, to show that the security is very poor. This means that it must be easy to crack a password with easily and cheaply available hardware and software. This password can then be used to expose the system to danger.
- You may only use social engineering if you have no other choice. You may only do this if you can demonstrate that employees who have access to sensitive data are not being careful. You must have legally persuaded employees to give this kind of data to people who are not allowed to have it. It is not permitted to harm employees of het municipality.
- You may only use what you have found to demonstrate that the municipality's procedures and practices are flawed.
- You may not pass the information of the security problem on to others until we have solved the problem.
- You may only do what is really necessary to show us the security problem and report it to us. You can give us a directory listing, rather than copying an entire database. You may never change or delete data in the system.
- You may not use techniques which impair the use and/or availability of the system or services (DoS attacks).
Handling your report
What you may expect from us:
- If you meet all the conditions, we will not file a criminal complaint. We will not file a civil lawsuit against you.
- If you have not adhered to these terms and conditions, we may initiate legal proceedings against you.
- We treat the report as confidential. We will only share your personal information with others if you have given us permission to do so. We also share the data if we are obliged to do so by law. Or if this is required by a court ruling.
- Municipalities share their experiences with each other. That is why we always share the received report with the Information Security Service for Municipalities.
- You remain anonymous as the discoverer of the vulnerability. If you want us to mention your name, we will do so.
- You will receive a confirmation of receipt within 2 working days.
- Within 5 working days you will receive a response from us with an assessment of the report.
- We will solve the reported security issue as soon as possible. We will keep you informed of the progress. We don't want to take more than 90 days to resolve the issue. However, we are often dependent on others to do so.
- After we have solved the problem, we can decide together whether the problem will be made public and how we will communicate this.
- We may reward you for your research, but are not obliged to do so. The form of this reward is not predetermined. We determine this on a case-by-case basis. Whether we give a reward and the form this takes, depends on:
- the carefulness of your investigation.
- the quality of the report.
- the severity of the weak spot.