Reporting weak spots in IT-systems

Security of its IT systems is of great importance to the city of Westland. Despite all our precautions, we can’t rule out the possibility of a weak spot.
If you have found a weak spot in one of the IT systems of the city of Westland, we invite you to contact us, so we can take action to fix  the vulnerability as soon as possible. To deal with the vulnerabilities in the City of Westland’s  IT systems in a responsible way, we use the following rules for Coordinated vulnerability disclosure (previously known as Responsible disclosure).

• to e-mail your findings to [email protected]
• to report the vulnerability as quickly as possible after its discovery
• to provide sufficient information to reproduce the problem in order to help us solve the problem as quickly as possible. The IP address or the URL of the system affected and a description of the vulnerability is usually sufficient, but more may be needed in case of more complex vulnerabilities
• to leave your contact details, at least an e-mail address or telephone number. We may need your cooperation to achieve a safe result. It is allowed to use an alias, provided we can contact you

In general we expect you to act responsibly and not to abuse the vulnerability you have found. Handle the knowledge on the security problem with care by not performing any acts other than those necessary to reveal the security problem. Do not share the information on the security problem with others until the problem has been solved.
The following actions are not allowed:

• use of social engineering to gain access to systems
• attacking physical protection to gain access to systems (e.g. breaking and entering)
• use of so-called “brute force” to access systems
• use of “distributed denial of service attacks”
• installing malware. This may damage our systems and create unnecessary security risks
• use of a vulnerability for other purposes than revealing the security problem
• copying, changing or deleting data in a system (an alternative to this is making a directory listing of a system)m
• making changes to a system
• repeatedly accessing the system or sharing access with others
• making public the fact that you found a vulnerability in the IT-systems of city of Westland without our consent

If you comply with the conditions mentioned above when reporting the observed vulnerability in an IT system of city of Westland, we will not take legal action against you for hacking. City of Westland will:

• Handle a report confidentially and not share personal details with third parties without permission from the reporter, unless this is a legal obligation or mandatory by virtue of a judicial decision
• send you a confirmation of receipt within two business days
• respond within 5 business days to your report with an assessment of the report and an expected date for solution
• keep you up to date on the progress made with solving the problem
• offer you, as the first reporter of a vulnerability, a small token of appreciation for your help. This can range from a simple ‘Thank you!’ to a financial reward of a maximum of €300,-. This depends on how serious the problem is and  on the quality of the report

It is our goal to solve all vulnerabilities in the IT-systems as soon as possible. In some cases, it may take some time to come to a solid solution. If you wish to publish about the reported vulnerability, you can do so with our consent and after we have solved the problem.