At the Port of Rotterdam Authority, we consider the security of our systems of utmost importance. In spite of the care we take concerning the security of our systems, it can happen that a weak point remains. If you have found a weakness in one of our systems, we would like to hear about it so that we can take appropriate measures as quickly as possible.
Weak points can be discovered in two ways: you accidentally come upon something during the normal use of a digital environment, or you explicitly do your best to find a weakness. Our responsible disclosure policy is not an invitation to actively scan our business network to discover weak points. We monitor our business network ourselves. This means that there is a high chance that a scan will be detected, and that an investigation will be initiated, which could result in unnecessary costs.
We will gladly work with you on improving the security of our systems.
What we ask:
- E-mail your findings to email@example.com. Encrypt your findings with our PGP key to prevent this information from falling into the wrong hands.
- Do not abuse the vulnerability, for example, by downloading more data than necessary to demonstrate the leak, or by viewing, deleting or editing third party data. We will always take your report seriously and investigate any suspicions of a vulnerability, even without ‘proof’.
- Do not share the problem with others until it has been resolved. Delete all confidential information that was obtained during the existence of the vulnerability immediately after the vulnerability has been solved.
- Do not make use of attacks on physical security, of social engineering, distributed denial of service, spamming or third-party applications.
- Provide adequate information for the problem to be reproduced so that we can resolve it as quickly as possible. Usually the IP address or the URL of the affected system and a description of the vulnerability are enough, although more information might be necessary for more complex vulnerabilities.
What we promise:
- We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date.
- We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission, unless this is required by law. Submitting a report under a pseudonym is allowed.
- We will keep you informed of the progress on resolving the problem.
- In reports on the reported problem, we will, if you wish, state your name as the discoverer.
If you have complied with the above conditions, we will not take legal action against you for the notification.
We try to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.
This text is based on the sample text published at http://responsibledisclosure.nl/