Responsible disclosure

At Vrije Universiteit Amsterdam we regard the security of our systems very important. In spite of our care for the security, it’s still possible that they have weak spots. If you find a weak spot in one of our systems, we like to hear from you, so we can take adequate measures.

Our policy for ‘Responsible Disclosure’ is by no means an invitation to actively scan our systems for weak spots. We carefully monitor the network ourselves. 

Nevertheless, we appreciate the cooperation to protect our clients and systems in the best possible way.

We ask you:

  1. To e-mail your findings to socc.secure@vu.nl as soon as possible after discovering the vulnerability, stating 'Responsible Disclosure' in the subject field, including the name of platform or environment.
  2. To send only one notification per e-mail. This should provide sufficient information to reproduce the problem, indicating the risk and should provide a proposal for a solution.
  3. To please send notifications in clear text only, provided with a Proof of Concept (POC) and supported by a maximum of 1 image. Rich text, ZIP-files and movies will not be accepted.
  4. To not share information about the security problem with others until it is resolved.
  5. To deal with the knowledge about the security problem responsibly by not taking any actions beyond what is necessary to demonstrate the security problem.

Avoid in any case the following actions:

  1. Placing malware.
  2. Copy, alter or remove information in a system. Instead, please create a listing or screendump.
  3. Change (settings in) a system.
  4. Try to repeatedly get access to the system or share access to the system with others.
  5. Try ‘brute force’ or ‘hammering’ technics to access the system.
  6. Try denial-of-service or social engineering methods.

Our promise:

  1. If you apply to the abovementioned conditions when detecting a vulnerability in an IT system of VU Amsterdam, we won’t take any legal actions concerning your notification.
  2. We will treat your notification confidentially and never share your personal data without your permission, unless this is legally liable or when we are forced to due to a legal verdict.
  3. In special cases and in mutual consultation we can, if you wish, mention your name as the discoverer of the reported vulnerability.
  4. We will send you a confirmation of receipt as soon as possible.
  5. We will inform you about our decision to accept or reject the reported vulnerability.
  6. When the vulnerability is fixed, we will let you know and as a thank you, we can offer a reward.
We strive to solve every problem as soon as possible and like to be involved in the event of any publication of the problem, after it has been solved.