Responsible Disclosure

Responsible Disclosure

The Municipality of Smallingerland attaches great importance to the security of its systems and the website. Despite all precautions, it is still possible that a weak spot can be found in the systems or the website. If you discover a weak spot in one of our systems, we would like to hear from you, so that we can quickly take appropriate measures. By submitting a report, you declare that you agree with the following agreements about Responsible Disclosure as a reporter and that the municipality of Smallingerland will handle your report in accordance with the agreements below.

We ask the following of you

•    Mail your findings via a secure mail facility via https://transfer.smallingerland.nl to the mailbox: incidenten@smallingerland.nl or contact the security officer, Mr G. van der Heide via 0512-581234
•    Provide enough information to reproduce the issue so that we can resolve it as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability will suffice, but more complex vulnerabilities may require more
•    We welcome any tips that will help us solve the problem. Please limit yourself to verifiable findings and vulnerabilities reported by you. Advice in the form of advertising for specific (security) products is not appreciated
•    Leave contact details so we can get in touch with you to work together towards a safe outcome. Leave at least one email address or phone number
•    Please submit the report as soon as possible after discovery of the vulnerability

The following actions are not allowed

•    Placing malware, neither on our systems nor on those of others
•    The so-called “bruteforce” or cracking of access to systems, except to the extent strictly necessary to demonstrate a serious security deficiency in this area, that is, when it is extremely easy to use publicly available and affordable hardware. and software to crack a password that could seriously compromise the system
•    Using social engineering, except to the extent strictly necessary to demonstrate that employees with access to sensitive data are generally (seriously) failing in their duty to handle it with care. That is, if it is generally too easy to persuade them to provide such data to unauthorized persons in an otherwise perfectly legal manner (not through blackmail). In doing so, you must exercise all due care that can reasonably be expected of you in order not to harm the employees concerned. Your findings should only be aimed at demonstrating apparent defects in the procedures and working methods within the municipality of Smallingerland and not at harming individuals who work at the municipality of Smallingerland
•    Disclosing or providing information about the security vulnerability to third parties before it is resolved
•    Taking actions that go beyond what is strictly necessary to demonstrate and report the security issue. In particular when it comes to processing (including viewing or copying) confidential data  
•    Using techniques that reduce the availability and/or usability of the system or services (DoS attacks)
•    Abusing the vulnerability in any (other) way