Responsible disclosure

Our policy for Responsible disclosure is by no means an invitation to actively scan our systems for weak spots. We carefully monitor the network ourselves.
Nevertheless we appreciate to cooperate with you to protect our clients and systems in the best possible way.Responsible disclosure

We ask you:

      

1. To inform us as soon as possible after you’ve found a vulnerability, with a Proof of Concept (POC), preferably by an e-mail to vucert.secure@vu.nl mentioning Responsible disclosure. We accept one Responsible Disclosure per e-mail.

2. To provide sufficient information for reproducing the problem, so we can create a solution as soon as possible. Usually the IP-adress or he URL of the system and a short description of the vulnerability (POC) is sufficient, more complex vulnerabilities may require additional information.

3. To leave your contact information behind, so VUCERT is able to reach you and work together with you on a quick and safe result. Minimally an e-mail address or phonenumber is required.

4. Not to share information about the security problem with others until it is solved.

5. Act in a responsible manner with your knowledge about the security problem, by not taking actions that go further than to show the security problem is there.

6. We take your report seriously and investigate every hint of a vulnerability, even if there is no “proof”.

Avoid in any case the following actions:

 

1. Placing malware.

2. Copying, altering or deleting data in a system (An alternative is making a directory listing of the system)

3. Make changes in the system itself.

4. Try to repeatedly get access to the system or sharing access to the system with others.

5. Using bruteforce to access the system.

6. Using denial-of-service or social engineering.

Our promise:


     

 

1. If you apply to abovementioned conditions when detecting a vulnerability in an IT system of the Vrije Universiteit, we won’t attach any legal consequences to your call. 

2. We handle your call confidentially and never share your personal data without your permission, unless this is legally liable, or when we are forced to, due to a legal verdict.

3. By mutual consent, we can mention your name as discoverer of the reported vulnerability.

4. We send you a possible confirmation of receipt.

5. We react to a call as soon as possible, with our conclusions regarding the call and an expected date for the solution of the problem.

6. We keep you informed about the progress of the solution.

7. As a thank you, we offer a reward for every call that leads to a former unknown security problem. The reward is an Amazon Giftcard.

We strive to solve every problem as soon as possible and like to be involved in the event of any publication of the problem, after it has been solved.