Sorry! De informatie die je zoekt, is enkel beschikbaar in het Engels.
This programme is saved into My study choice.
This programme cannot be saved.
You are not logged in yet to My study choice Portal. Login or create an account to save your programmes.
Something went wrong, try again later.

Security and Operations Control Center

SOCC investigates and coordinates matters pertaining to information security incidents involving staff, students and/or systems at VU Amsterdam. This applies to incidents that appear to have originated within VU Amsterdam, and incidents whereby the university is the victim.

Reporting security incidents
In the event of a breach of security (or a suspected breach of security), you should contact SOCC immediately.
E-mail: socc@vu.nl (preferred)

We work with a Responsible Disclosure arrangement (see below).

Postal address:
VU Amsterdam
VUCERT, room MP-N537
De Boelelaan 1105
1081 HV Amsterdam
The Netherlands
T: +31 (0)20 598 71 59 / Outside office hours, please call +31 (0)20 598 2222

More information
SOCC Charter

The following RSS feed provides up-to-date information about bugs and security leaks in software: http://www.us-cert.gov/current/index.rdf

WHAT IS A SECURITY INCIDENT?

A security incident is an event that jeopardizes the confidentiality, integrity or availability of information or information processing systems. Examples of security incidents include contamination with viruses and/or malware, attempts to gain unauthorized access to information or systems (hacking), the loss of a USB stick with confidential information, theft of data or hardware, compromised mailbox.

Discovering a security incident
If you suspect or discover a security incident, please report it to SOCC as swiftly as possible. The only condition is that it must in some way involve VU Amsterdam, either as the target or the source.

Coordinated Vulnerability Disclosure

  • What is it?

    At Vrije Universiteit Amsterdam we regard the security of our systems very important. In spite of our care for security, it is still possible that there are vulnerabilities. If you find a weak spot in one of our systems, we are eager to cooperate with you in order to better protect our users and systems.

    No invitation for active scanning
    The fact that we have a policy for coordinated vulnerability disclosure is by no means an invitation to actively scan our systems for weak spots. We carefully monitor the network ourselves.

    Judicial prosecution
    During your investigation it could be possible that you take actions that are prohibited by law. If you follow the conditions given in this agreement, we will not take legal action against you. The Dutch Public Prosecution Service will, however, never forfeit their right to investigate and prosecute unlawful actions and have published a policy paper [in Dutch] on the matter.

  • Our request
    • Please email your findings as soon as possible to socc.secure@vu.nl. We encourage you to send an encrypted email. Please use PGP key (fingerprint=C6AE 0C40 1231 613B A445  1DF4 D6BE 6AA0 EC0E 819C) to prevent information from falling into the wrong hands.
    • Do not abuse the found vulnerability by, for example:
      - downloading more data than necessary
      - modifying or removing data.
    • Be extra cautious with personal data.
    • Do not share the vulnerability with others until it has been resolved.
    • Do not test the physical security of third-party applications, social engineering techniques, (distributed) denial-of-service, malware, or spam.
    • Do provide sufficient information to reproduce the problem so that we can resolve it as quickly as possible. The IP address or the URL of the affected system along with a description of the vulnerability are usually sufficient, but complex vulnerabilities may require further explanation, e.g. a Proof of Concept (PoC).
    • Avoid the use of multimedia files. Use plain text and a screendump.

  • What we promise
    • We will respond to your report within 5 business days with our evaluation of the report and an expected resolution date.
    • We will handle your report with strict confidentiality and will not pass on your personal details to third parties without your permission unless the law requires us to provide your personal information.
    • You may report anonymously or under a pseudonym. In this case, however, we will not be able to contact you for things such as follow-up steps, progress on resolving the issue, potential publication, or any reward for reporting the vulnerability.
    • We will keep you informed of the progress towards resolving the problem.
    • If you wish, we will mention your name as a vulnerability discoverer in the weakness report.
    • We may give you a reward for your research but are not obligated to do so. Therefore, you are not automatically entitled to any reimbursement. The form of this reward is not fixed in advance and is determined by us on a case-by-case basis. Our decision to grant a reward, and in which form, depends on the care taken in your investigation, the quality of the report, and the seriousness of the leak.
    • We strive to solve all problems as quickly as possible and keep all parties involved informed. We will be glad to be involved in any publication about the weakness after it has been resolved.

  • Out of scope

    Vrije Universiteit Amsterdam does not reward trivial vulnerabilities or bugs that cannot be abused. The following are examples (not exhaustively) of known and accepted vulnerabilities and risks that are outside the scope of this policy:

    • HTTP 404 codes/pages or other HTTP non-200 codes/pages and Content Spoofing/Text Injection on these pages.
    • Fingerprint version banner disclosure on common/public services.
    • Reporting not following best practices or output of automated scanners without proof of exploitability.
    • Output of automated scans from tools like Nmap, Web-, SSL/TLS-scan.
    • Disclosure of known public files or directories or non-sensitive information, (e.g. robots.txt).
    • Clickjacking and issues only exploitable through clickjacking.
    • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
    • OPTIONS HTTP method enabled.
    • Anything related to HTTP security headers, e.g.:
      - Strict-Transport-Security.
      - X-Frame-Options.
      - X-XSS-Protection.
      - X-Content-Type-Options.
      - Content-Security-Policy.
    • SSL Configuration Issues:
      - SSL forward secrecy not enabled
      - weak / insecure cipher suites.
    • SPF, DKIM, DMARC issues
    • Host header injection.
    • Reporting older versions of any software without proof of concept or working exploit.
    • Information leakage in metadata.