Coordinated Vulnerability Disclosure
The National Cyber Security Centre (NCSC) contributes to jointly enhancing the resilience of the Dutch society in the digital domain and, in doing so, realises a safe, open and stable information society by providing insight and offering a perspective for action. Therefore it is essential that the ICT systems of the NCSC are safe. The NCSC strives towards providing a high level of security for its systemn. However, it can occur that one of these systems has a vulnerability.
Vulnerabilities in ICT systems of the NCSC
If you have found a weak spot in one of the ICT systems of the NCSC, the NCSC would like to hear about this from you, so the necessary measures can be taken as quickly as possible to rectify the vulnerability. To deal with the vulnerabilities in the NCSC ICT systems responsibly, we propose several agreements. You may hold the NCSC to this when you discover a weak spot in one of our systems.
The NCSC asks you:
- To e-mail your findings to firstname.lastname@example.org. Encrypt your findings if possible with the PGP Key of the NCSC to prevent the information falling into the wrong hands.
- Provide sufficient information to reproduce the problem so that the NCSC can solve the problem as quickly as possible. The IP address or the URL of the system affected and a description of the vulnerability is usually sufficient, but more may be needed for more complex vulnerabilities.
- Leave your contact details so that the NCSC can contact you to cooperate on a safe result. At least, leave an e-mail address or a telephone number.
- Report the vulnerability as quickly as possible after its discovery.
- Do not share the information on the security problem with others until the problem has been solved.
- Handle the knowledge on the security problem with care by not performing any acts other than those necessary to reveal the security problem.
Avoid in any case the following acts:
- installing malware.
- copying, changing or deleting data in a system (an alternative to this is making a directory listing of a system).
- making changes to a system.
- repeatedly accessing the system or sharing access with others.
- using so-called “brute force” to access systems.
- using denial-of-service or social engineering.
What you can expect:
- If you comply with the conditions above when reporting the observed vulnerability in an ICT system of the NCSC, the NCSC will not attach any legal consequences to this report.
- The NCSC handles a report confidentially and does not share personal details with third parties without permission from the reporter, unless this is mandatory by virtue of a judicial decision.
- In mutual consultation, the NCSC can, if you desire, mention your name as the discoverer of the reported vulnerability.
- The NCSC will send you a confirmation of receipt within one working day.
- The NCSC responds within three working days to a report with an assessment of the report and an expected date for a solution.
- The NCSC keeps the reporter up-to-date on the progress made with solving the problem.
- The NCSC solves the security problems observed by you in a system as quickly as possible, but no later than within 60 days. In mutual consultation, whether and in what way the problem will be published, after it has been solved, is determined.
- The NCSC offers a reward as thanks for help. Depending on the seriousness of the security problem and the quality of the report, the reward can vary from a T-shirt to maximum EUR 300 in gift vouchers. It must concern a serious problem that is unknown to NCSC.
Vulnerabilities in ICT systems of third parties:
The NCSC would like to hear if you find a weak spot in a system of the Dutch government or in a system with a vital role. For systems of other owners/administrators and/or suppliers, in the first instance you must approach the organisation yourself. If the organisation does not or inadequately responds, you can inform the NCSC. In this regard, the NCSC will play a role as intermediary to achieve result together.
For reports on systems of third parties:
- The NCSC will respond to a report within three working days by contacting the owner and giving you a response.
- The owner is primarily responsible for keeping the reporter informed about the progress made in solving the problem.
- The NCSC will help the owner with advice so that the security problem can be solved as quickly as possible.
- The NCSC asks you to give us information on whether and how there has already been contact with the organisation.
The NCSC has published a general guideline for Coordinated Vulnerability Disclosure. This guideline helps organisations to draft their own Coordinated Vulnerability Disclosure policy. In addition, it gives reporters a guide on how to act in finding and reporting a vulnerability.
Date modified: 11 October 2018