Coordinated Vulnerability Disclosure

What to do if you discover a vulnerability

At the Amsterdam University of Applied Sciences, we pay close attention to the security of our systems. Despite our care, vulnerabilities may occur. Have you discovered a vulnerability? Please notify us as soon as possible in accordance with our Responsible Disclosure Guidelines, so that we can take action as quickly as possible.

Have you discovered a vulnerability?

Submit your findings by using the form from our partner Zerocopter.

How can we work together to ensure secure systems?

We ask you:

  • not to exploit vulnerabilities by, for example, downloading more data than is necessary to demonstrate the vulnerability, and use extra caution when it comes to personal data: do not access, delete or modify any third-party data;
  • not to share vulnerabilities with others until they are resolved and delete all confidential data obtained through vulnerabilities as soon as possible;
  • not to use attacks on physical security or third-party applications, social engineering, distributed denial-of-service or spam;
  • to provide sufficient information to reproduce the vulnerability so that we can resolve it quickly. Usually, an IP address or URL of the affected system and a description of the vulnerability are sufficient, but more may be required for more complex vulnerabilities.
  • to email your findings as soon as possible by using the form from our partner Zerocopter.

We promise:

  • to respond to your report within five days with our assessment and an expected date for a solution;
  • to treat your report as confidential and we will not share your personal data with third parties without your consent unless this is necessary to comply with a legal obligation;
  • if you want to, to keep you informed of the progress in resolving the issue;
  • include your name as the discoverer of the vulnerability in any communications about the reported problem, if you so choose;
  • that it is possible to report anonymously or under a pseudonym. It is important for you to know that this does mean we will not be able to contact you about the next steps, the progress of the remediation of the leak, publication or a possible reward for the report;
  • to offer a reward for your help, for every first report of a vulnerability that is still unknown to us. The size of the reward will be determined by the severity of the vulnerability and the quality of the report, and will vary from an honourable mention to a gift.
  • to strive to resolve reported problems as quickly as possible. We are happy to be involved in any publication about the problem after it has been solved.

Vulnerability

A vulnerability is a property of a society, organisation or information system or a component thereof that impairs the resilience of this entity. A vulnerability provides an opportunity for a malicious party to inflict damage because the protection against damage is inadequate. For example, a malicious party may be able to prevent and influence legitimate access to information or functionality or gain unauthorised access. Vulnerabilities are the 'gateways' through which threats can lead to incidents. Resolving vulnerabilities is a direct way of reducing threats and reducing the chance of incidents. (Source: NCSC)

Coordinated Vulnerability Disclosure

Responsible Disclosure or Coordinated Vulnerability Disclosure is the disclosure of ICT vulnerabilities in a responsible manner and in collaboration between the notifier and the organisation, based on a policy drawn up by organisations for this purpose.

Published by  ICT Services 14 April 2023