Report vulnerability

Revised 28th of March 2022

The Internet Standards Platform thinks the security of the Internet.nl website is very important. Despite the care we have taken to ensure security, it could still happen that a vulnerability is found.

Have you found a security flaw in the Internet.nl website? You might have accidentally run across one in the normal operation of this site, or perhaps you have been actively trying to find a vulnerability. In either case, please let us know, so we can take action as soon as possible.

By the way, this is not an invitation to extensively scan and test our site for weaknesses. We are doing this ourselves.

We would like to work with you to further improve the security of our website. We will always take your reports seriously when it is compliant with our Coordinated Vulnerability Disclosure policy and will look into any suspected vulnerabilities.

In our following policy on Coordinated Vulnerability Disclosure we explain what we ask you and what we promise when you report a vulnerability to us.

We ask you to:

  • send your findings to us per email or via a GitHub security advisory as soon as possible;
  • if sending an email, preferably encrypt your email with our PGP key;
  • provide sufficient information to replicate the problem, so we can fix it as soon as possible; the IP address or the URL is generally sufficient, along with a description of the vulnerability, but for more complex vulnerabilities we may need more information;
  • not run tests that attack via physical security, social engineering, or third-party applications;
  • not run brute force or denial of service attacks;
  • not exploit the vulnerability to, for example, change or delete data, or install malware;
  • not share the problem with others until we have fixed it;
  • not copy data from our systems, other than what is absolutely necessary to demonstrate the leak;
  • leave your contact data (e-mail address and phone number), so we can get in touch and work with you to fix the problem.

We promise:

  • to respond to your notification within three working days, with an evaluation of your report and an expected date for a solution;
  • to treat your report confidentially: we will not share your personal information without your consent, except to the police and the judiciary if a police report is made or if this information is legally required;
  • to keep you informed of our progress in solving the problem;
  • to include your name as the discoverer of the vulnerability in any news reports, if you wish;
  • that an accidental discovery of a vulnerability will not lead to legal charges against you, as long as you play by the rules and act in the spirit of Coordinated Vulnerability Disclosure;
  • as a token of our gratitude, we will give you a t-shirt for each report of a security issue not yet known to us; we know this is not a big reward, but we do not want to stimulate active scanning for vulnerabilities.

Exclusions:

Since our time is scarce, we ask you:

  • to not report trivial findings for which there are no known exploits and/or for which there is no real risk involved;
  • to not blindly report findings from automated vulnerability scanning tools. Do not copy-paste the findings in an e-mail, but first take some time to understand the nature of our website before reporting anything;
  • to realise that our tools are open source and available for reuse. We cannot be held responsible for implementations by others.

Below are some examples of findings that you should not report. If you do, please realise that we do not reward these reports and we might not respond to your e-mail.

  • Vulnerabilities regarding domains other than internet.nl;
  • Header information disclosures;
  • SSRF vulnerability (this is not a vulnerability but intended functionality necessary for the proper functioning of Internet.nl);
  • Publicly accessible files or folder with non-sensitive information (like robots.txt or images);
  • Missing standards which are not promoted by Internet.nl (like MTA-STS);
  • Alleged deviations that do comply with the test standard used by Internet.nl itself (like for a certain security header).