Responsible disclosure

• Email your findings to wittehoed@leeuwarden.nl. Send the findings securely via https://bestandverzenden.leeuwarden.nl to prevent the information from falling into the wrong hands. Please provide enough information to reproduce the problem so we can fix it as soon as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be needed for more complex vulnerabilities.We welcome tips to help us solve the problem. Please limit your report to verifiable factual details that relate to the vulnerability you have identified and avoid your advice actually amounting to advertising specific (security) products.
• Leave your contact details so that we can get in touch with you to work together for a safe outcome. Leave at least one e-mail address or phone number.
• Please submit the report as soon as possible after discovering the vulnerability.

• Installing malware, neither on our systems nor those of others.
• The “bruteforcing” of access to systems.
• Using social engineering, except to the extent strictly necessary to demonstrate that employees with access to sensitive data in general are seriously failing in their duty to treat it with due care. That means, by perfectly legal means (i.e. not through blackmail or suchlike), it is generally too easy to persuade them to provide such data to unauthorised persons. You should exercise all care that can reasonably be expected of you not to harm the interests the employees concerned themselves. Your findings should be aimed solely at demonstrating apparent flaws in procedures and working practices within the local authority and not at harming the interests of individuals employed by the local authority.
• Disclosing or providing information about the security problem to third parties before it is resolved.
• Taking actions beyond what is strictly necessary to demonstrate and report the security problem. In particular, where it involves processing (including viewing or copying) confidential data to which you have gained access due to the vulnerability. Rather than copying an entire database, it is usually sufficient for you to provide, for instance, a directory listing. Changing or deleting data in the system is not permitted under any circumstances.
• Disclosing or providing to third parties data of a confidential nature, such as privacy-sensitive data.
• Using techniques that reduce the availability and/or usability of the system or services (DoS attacks).
• Misusing the vulnerability in any other way.

• If you meet all the above conditions, we will not file criminal charges against you, and nor will we bring a civil case against you.
• If it is established that you have not complied with any of the conditions, we may still decide to take legal action against you. We treat a report confidentially and do not share the personal data of the person reporting with third parties without their consent, unless we are required to do so by law or court order.
• We always share the received report with the Municipal Information Security Service (IBD). This is how we ensure that local authorities share their experiences in this area. By mutual agreement, if you wish, we can mention your name as the person who identified the reported vulnerability. In all other cases, you will remain anonymous.
• We will send you an (automatic) acknowledgement of receipt within 1 working day.
• We respond to a report within 3 working days with an initial assessment of the report and possibly an expected date for resolution.
• We will resolve the security issue you have reported as soon as possible. We aim to keep you well informed of progress and never take longer than 90 days to solve the problem. However, we do often depend partly on suppliers in this respect.

It can be mutually agreed whether and how to publish the issue once it is resolved.