Coordinated Vulnerability Disclosure
The Internet Standards Platform thinks the security of the Internet.nl website is very important. Despite the care we have taken to ensure security, an existing vulnerability may be found or a new one may arise somehow.
Have you found a security flaw in the Internet.nl website? You might have accidentally run across one in the normal operation of this site, or perhaps you have been actively trying to find a vulnerability. In either case, please let us know, so we can take action as soon as possible.
By the way, this is not an invitation to extensively scan and test our site for weaknesses. We are doing this ourselves.
We would like to work with you to further improve the security of our website. We will always take your notifications seriously and will look into any suspected vulnerabilities.
We ask you to:
- mail your findings to firstname.lastname@example.org as soon as possible;
- preferably encrypt your e-mail with our PGP key;
- provide sufficient information to replicate the problem, so we can fix it as soon as possible; the IP address or the URL is generally sufficient, along with a description of the vulnerability, but for more complex vulnerabilities we may need more information;
- not run tests that attack via physical security, social engineering, or third-party applications;
- not run brute force or denial of service attacks;
- not exploit the vulnerability to, for example, change or delete data, or install malware;
- not share the problem with others until we have fixed it;
- not copy data from our systems, other than what's absolutely necessary to demonstrate the leak;
- leave your contact data (e-mail address and phone number), so we can get in touch and work with you to fix the problem.
- to respond to your notification within three working days, with an evaluation of your report and an expected date for a solution;
- to treat your report confidentially: we will not share your personal information without your consent, except to the police and the judiciary if a police report is made or if this information is legally required;
- to keep you informed of our progress in solving the problem;
- to include your name as the discoverer of the vulnerability in any news reports, if you wish;
- that an accidental discovery of a vulnerability will not lead to legal charges against you, as long as you play by the rules and act in the spirit of Coordinated Vulnerability Disclosure;
- as a token of our gratitude, we will give you a t-shirt for each report of a problem not yet known to us; we know this is not a big reward, but we do not want to stimulate active scanning for vulnerabilities.