Coordinated vulnerability disclosure

Security of its IT systems is of great importance to the city of Delft.  Despite all our precautions, we can’t rule out the possibility of a weak spot.

If you have found a weak spot in one of the IT systems of the city of Delft, we invite you to contact us, so we can take action to fix  the vulnerability as soon as possible. To deal with the vulnerabilities in the City of Delft’s  IT systems in a responsible way, we use the following rules for Coordinated vulnerability disclosure.

The City of Delft would like to ask you:

  • To e-mail your findings to incident@delft.nl. In case of confidential or critical findings, use the encrypted mail service, same e-mail address, to prevent confidential or critical information falling into the wrong hands.
  • To report the vulnerability as quickly as possible after its discovery.
  • To provide sufficient information to reproduce the problem in order to help us solve the problem as quickly as possible. The IP address or the URL of the system affected and a description of the vulnerability is usually sufficient, but more may be needed in case of more complex vulnerabilities.
  • To leave your contact details, at least an e-mail address or telephone number. We may need your cooperation to achieve a safe result. It is allowed to use an alias, provided we can contact you.

How to disclose a security problem

In general we expect you to act responsibly and not to abuse the vulnerability you have found. Handle the knowledge on the security problem with care by not performing any acts other than those necessary to reveal the security problem. Do not share the information on the security problem with others until the problem has been solved.

The following actions are not allowed:

  • Use of social engineering to gain access to systems
  • Attacking physical protection to gain access to systems (e.g. breaking and entering)
  • Use of so-called “brute force” to access systems
  • Use of  “distributed denial of service attacks”
  • Installing malware. This may damage our systems and create unnecessary security risks.
  • Use of  a vulnerability for other purposes than revealing the security problem
  • Copying, changing or deleting data in a system (an alternative to this is making a directory listing of a system)
  • Making changes to a system
  • Repeatedly accessing the system or sharing access with others
  • Making public the fact that you found a vulnerability in the IT-systems of city of Delft without our consent

What you can expect

If you comply with the conditions mentioned above when reporting the observed vulnerability in an IT system of city of Delft, we will not take legal action against you for hacking. City of Delft  will:

  • Handle a report confidentially and not share personal details with third parties without permission from the reporter, unless this is a legal obligation or mandatory by virtue of a judicial decision.
  • Send you a confirmation of receipt within one business day
  • Respond within 5 business days to your report with an assessment of the report and an expected date for solution.
  • Keep you up to date on the progress made with solving the problem
  • Offer you, as the first reporter of a vulnerability, a small token of appreciation for your help. Further rewarding depends on  how serious the problem is and  on the quality of the report.

Publication

It is our goal to solve all vulnerabilities in the IT-systems as soon as possible. In some cases, it may take some time to come to a solid solution. If you wish to publish about the reported vulnerability, you can do so with our consent and after we have solved the problem.