Responsible disclosure

Security not optimal? Report it to us!

The Municipality of Geldrop-Mierlo considers the security of our systems very important. Despite the Health the security of our systems, it can still happen that there is a weak spot. If you discover a weakness in one of our systems, we would like to hear from you. We can then take appropriate action quickly. By reporting a vulnerability, the reporter agrees to the responsible disclosure agreements below. The municipality of Geldrop-Mierlo will then handle your report according to the agreements below.

We ask the following of you:

  • Email your findings as soon as possible to web_incident@geldrop-mierlo.nl.
  • We welcome tips that will help us solve the problem.
  • Please limit your advice to verifiable facts related to the vulnerability you have identified and avoid that your advice actually amounts to advertising specific (security) products.
  • Please leave your contact information so we can get in touch with you to work together for a safe outcome. Please leave at least one email address or phone number.
  • Please submit the report as soon as possible after discovery of the vulnerability.

     

    The following actions are not permitted:

    • Placing malware, neither on our systems nor on those of others.
    • Please submit the report as soon as possible after discovery of the vulnerability.
    • The so-called "bruteforcing" of access to systems.
    • Using social engineering except to the extent strictly necessary to demonstrate that employees with access to sensitive data are generally (seriously) failing in their duty to handle it with care. That is, by perfectly legal means (i.e., not through blackmail or the like), it is generally too easy to persuade them to provide such data to unauthorized persons. In doing so, you should exercise all the Health that can reasonably be expected of you so as not to harm the employees in question themselves. Your findings should be aimed solely at demonstrating apparent flaws in the procedures and practices within the municipality and not at harming individuals employed by the municipality.
    • Disclosing or providing to third parties information about the security problem before it is resolved.
    • Taking actions beyond what is strictly necessary to demonstrate and report the security problem. Particularly where this involves processing (including viewing or copying) confidential data to which you have had access due to the vulnerability. Instead of copying an entire database, you can normally suffice with, for example, a directory listing. Changing or deleting data in the system is never permitted;
    • Using techniques that reduce the availability and/or usability of the system or services (DDoS attacks).
    • Misusing the vulnerability in any (other) way.

     

    What can you expect from us?

    • If you meet all of the above Requirements , we will not file criminal charges against you or bring a civil case against you.
    • If you are found to have violated any of the above conditions, we may still decide to take legal action against you. We treat a report confidentially and do not share a reporter's personal information with third parties without their consent, unless we are required to do so by law or court order.
    • We always share the received report with the Information Security Service for Municipalities (IBD). In this way, we ensure that municipalities share their experiences in this area.
    • We handle your report confidentially and will not share your personal information with third parties without your consent unless necessary to fulfill a legal obligation.
    • By mutual agreement, if you wish, we may include your name as the discoverer of the reported vulnerability. In all other cases, you will remain anonymous.
    • We will respond to your report as soon as possible within 5 business days with an (initial) assessment of the report and possibly an expected date for resolution. We will keep you informed about the progress of the resolution of the problem,
    • We will resolve the security issue you reported as quickly as possible. We strive to keep you well informed of the progress and never take longer than 90 days to solve the problem. However, we are often dependent on suppliers. 

    It can be mutually agreed whether and how to publish about the problem after it is resolved.