Reporting a vulnerability (CVD)

In the event that you find a technical vulnerability in one of the Dutch Central Government's systems, you can report this to the National Cyber Security Centre (NCSC). This kind of report is known as a Coordinated Vulnerability Disclosure or CVD.

You can also contact the NCSC in the event you find vulnerabilities affecting multiple systems or suppliers. In such cases, the NCSC can help to coordinate a solution to the vulnerabilities in question.

Vulnerabilities can be reported via the CVD form. We will subsequently get in contact with you to coordinate the resolution of the vulnerability in question.

In the event that you find a vulnerability in a system or product that does not belong to the Dutch Central Government, the vulnerability should first be reported to the owner of the system or the product supplier. You should only report your findings to the NCSC if this organisation does not respond adequately to the vulnerability, in which case (after receiving proof of attempts at contact) we will serve as an intermediary and try to bring the vulnerability to the attention of the organisation once more.

 If you have any questions or comments regarding issues that do not relate to cyber security, you can contact the Dutch Central Government via the contact page on rijksoverheid.nl.

Which vulnerabilities can be reported via a CVD?

Vulnerabilities that pose a risk to system security can be reported to us. Examples include vulnerabilities that enable login forms to be bypassed or provide unauthorised access to databases containing personal information.

Not every defect in a system constitutes a vulnerability. In general, the following defects do not result in a potential security breach and we therefore kindly request that you do not report such vulnerabilities to us:

  • Defects that do not affect the availability, integrity or confidentiality of data.
  • The availability of WordPress functionality like wp-cron.php,  wp-json users endpoint and xmlrpc.php (when its abuse is limited to what is known as a 'pingback denial-of-service' attack).
  • The opportunity to use cross-site scripting on a static website or a website that does not process any sensitive (user) data.
  • The availability of technical information such as version information, ip addresses and usernames. Exceptions are made when this information can directly and demonstrably be abused, such as software versions with known vulnerabilities, users with default credentials, IP addresses that lead to system access.
  • The lack of HTTP security headers as used by mechanisms such as Cross-Origin Resource Sharing (CORS), unless this lack of a security header demonstrably results in a security problem.
  • Security issues that lack a realistic exploitation scenario, only disclose non-sensitive or low-risk information, depend on phishing or extensive user interaction, are considered low-impact and do not qualify for recognition or rewards.

If you have any doubts about whether the defect you have found constitutes one of the above exceptions, then you can of course still report the defect to us. We will subsequently determine whether the defect constitutes a vulnerability and take appropriate follow-up action.

Please note that decisions regarding a reported vulnerability are final and not up for discussion. Repeated communication, whether requests for updates or otherwise, disrupts the CVD process.

How do you submit CVDs?

Please take the following steps:

  • Fill in the CVD form and tell us what you have found. If desired, you can also make use of our PGP key for additional encryption of your report.
  • In your report, please describe as clearly as possible how the problem can be reproduced as this will help to accelerate the resolution process. Usually, the IP address or the URL of the affected system and a description of the vulnerability will suffice, although for more complex vulnerabilities, additional information may be required. In such cases, we will contact you.
  • At the very least, please provide an e-mail address to enable us to contact you if we have any questions. We prefer to communicate via e-mail.

Ensure that you:

  • Report the vulnerability as soon as possible after discovering it.
  • Do not share any information about the security problem with others until you hear from us that it has been resolved.
  • Handle the knowledge of the security problem responsibly, for example, by performing no further actions involving the defect other than those that are necessary to demonstrate the security problem.

What must you not do?

You must never perform the following actions while researching a vulnerability:

  • Introduce malware into the system.
  • Copy, edit or delete data in the system.
  • Make changes to the system.
  • Repeatedly access the system or share access to the system with others.
  • Perform brute-force attacks to gain access to a system.
  • Perform denial-of-service attacks or social engineering.
  • Sharing (YouTube) videos with the National Cyber Security Center. These will not be accepted.

Principles of our CVD policy

  • If you submit your report in accordance with the procedure, then there will be no grounds for legal consequences in relation to your report. We will handle your report in confidence and we will not share your personal details with third parties without your permission unless we are compelled to do so by law or by a court ruling.
  • We will only specify your name as the discoverer of the vulnerability in question if you give permission for us to do so.
  • We will confirm receipt of the report within one working day and we will subsequently send an assessment of your report within three working days. We will also give you progress updates regarding the resolution of the problem.
  • Upon resolution of the problem, we will consult with you to determine whether and in what way to publish details of the problem and its resolution.
  • The NCSC will also offer a reward to thank you for your help. This reward can vary from a T-shirt to gift certificates depending on the severity of the security problem and the quality of the report. To be eligible for a reward, the report must concern a serious security problem that is as yet unknown to the NCSC.
  • For vulnerabilities affecting multiple systems or vendors, coordinated by the NCSC, the NCSC may assign a CVE number. The vulnerability must meet the requirements of the CVE Program and align with the NCSC's CNA (CVE Numbering Authority) role.
  • We kindly ask reporters to respect our decision process. Excessive emails or pressure regarding declined reports — for both current and future submissions — may result in ineligibility for rewards or inclusion in the Hall of Fame.

Wall of Fame

Starting in 2023, the NCSC publishes a Wall of Fame on its website each year to highlight and thank the researchers with the best reports from the previous year. To be eligible for inclusion in the Hall of Fame, the following quality requirements are considered for the creation of the list:

  • The report has a major impact on the digital security of the Netherlands
  • Reports must be clear, well-documented, and demonstrate a thorough understanding of the issue.
  • When a reporter submits multiple reports, the majority should demonstrate strong quality and clarity.

To link the reports to the right researcher, we ask researchers to use the same email address as a means of contact.