Reporting a vulnerability (CVD)
In the event that you find a technical vulnerability in one of the Dutch Central Government's systems, you can report this to the National Cyber Security Centre (NCSC). This kind of report is known as a Coordinated Vulnerability Disclosure or CVD. In the event that you find a vulnerability in a system or product that does not belong to the Dutch Central Government, the vulnerability should first be reported to the owner of the system or the product supplier. You should only report your findings to the NCSC if this organisation does not respond adequately to the vulnerability, in which case we will serve as an intermediary and try to bring the vulnerability to the attention of the organisation once more. If you have any questions or comments regarding issues that do not relate to cyber security, you can contact the Dutch Central Government via the contact page on rijksoverheid.nl.
You can also contact the NCSC in the event you find vulnerabilities affecting multiple systems or suppliers. In such cases, the NCSC can help to coordinate a solution to the vulnerabilities in question. Vulnerabilities can be reported via the CVD form. We will subsequently get in contact with you to coordinate the resolution of the vulnerability in question.
Which vulnerabilities can be reported via a CVD?
Vulnerabilities that pose a risk to system security can be reported to us. Examples include vulnerabilities that enable login forms to be bypassed or provide unauthorised access to databases containing personal information.
Not every defect in a system constitutes a vulnerability. In general, the following defects do not result in a potential security breach and we therefore kindly request that you do not report such vulnerabilities to us:
- Defects that do not affect the availability, integrity or confidentiality of data.
- The availability of the WordPress xmlrpc.php functionality when its abuse is limited to what is known as a 'pingback denial-of-service' attack.
- The opportunity to use cross-site scripting on a static website or a website that does not process any sensitive (user) data.
- The availability of version information, for example via an info.php file. One possible exception in this scenario is when the version information reveals that the system uses software that contains known vulnerabilities.
- The lack of HTTP security headers as used by mechanisms such as Cross-Origin Resource Sharing (CORS), unless this lack of a security header demonstrably results in a security problem.
If you have any doubts about whether the defect you have found constitutes one of the above exceptions, then you can of course still report the defect to us. We will subsequently determine whether the defect constitutes a vulnerability and take appropriate follow-up action.
How do you submit CVDs?
Please take the following steps:
- Fill in the CVD form and tell us what you have found. If desired, you can also make use of our PGP key for additional encryption of your report.
- In your report, please describe as clearly as possible how the problem can be reproduced as this will help to accelerate the resolution process. Usually, the IP address or the URL of the affected system and a description of the vulnerability will suffice, although for more complex vulnerabilities, additional information may be required. In such cases, we will contact you.
- At the very least, please provide an e-mail address or telephone number to enable us to contact you if we have any questions. We prefer to communicate via e-mail.
Ensure that you:
- Report the vulnerability as soon as possible after discovering it.
- Do not share any information about the security problem with others until you hear from us that it has been resolved.
- Handle the knowledge of the security problem responsibly, for example, by performing no further actions involving the defect other than those that are necessary to demonstrate the security problem.
What must you not do?
You must never perform the following actions:
- Introduce malware into the system.
- Copy, edit or delete data in the system.
- Make changes to the system.
- Repeatedly access the system or share access to the system with others.
- Perform brute-force attacks to gain access to a system.
- Perform denial-of-service attacks or social engineering.
- Sharing (YouTube) videos with the National Cyber Security Center. These will not be accepted.
Principles of our CVD policy
- If you submit your report in accordance with the procedure, then there will be no grounds for legal consequences in relation to your report. We will handle your report in confidence and we will not share your personal details with third parties without your permission unless we are compelled to do so by law or by a court ruling.
- We will only specify your name as the discoverer of the vulnerability in question if you give permission for us to do so.
- We will confirm receipt of the report within one working day and we will subsequently send an assessment of your report within three working days. We will also give you progress updates regarding the resolution of the problem.
- The NCSC will strive to have the the security problem identified by you resolved within no more than 60 days. Upon resolution of the problem, we will consult with you to determine whether and in what way to publish details of the problem and its resolution.
- The NCSC will also offer a reward to thank you for your help. This reward can vary from a T-shirt to gift certificates depending on the severity of the security problem and the quality of the report. To be eligible for a reward, the report must concern a serious security problem that is as yet unknown to the NCSC.
Wall of Fame
Starting in 2023, the NCSC will place a Wall of Fame on its website each year to highlight and thank the researchers with the best reports from the previous year. The following quality requirements are considered for the creation of the list:
- The report has a major impact on the digital security of the Netherlands
- With multiple reports from the same reporter: the percentage of good and qualitative reports is high
- The quality of the reporting in the notification is good
To link the reports to the right researcher, we ask researchers to use the same email address as a means of contact.