Information Security

Process and agreements for reporting security breach

• Coordinated Vulnerability Disclosure (CVD).

The Opsterland Municipality attaches great importance to the security of its systems. Despite all precautions, it remains possible that a weakness in the systems can be found. If you discover a vulnerability in one of our systems, we would like to hear from you so that we can take appropriate measures quickly. By making a report, you, the reporter, agree to the agreements below regarding Coordinated Vulnerability Disclosure (CVD).

Handling notification

We ask the following of you

Email your findings to teamsecurity@owo-gemeenten.nl

• Please provide enough information to reproduce the problem so that we can fix it as soon as possible. Usually the IP address, URL, screenshots and so on of the affected system and a description of the vulnerability is sufficient, but more may be required for more complex vulnerabilities.
• We welcome tips to help us solve the problem. Please do limit your tips to verifiable factual information related to the vulnerability you have identified and avoid that your advice actually amounts to advertising specific (security) products.
• Please leave contact information so we can get in touch with you to work together for a safe outcome. Please leave at least one email address or phone number.
• Submit the report as soon as possible after discovering the vulnerability.

The following actions are not permitted

• Placing malware, neither on our systems nor those of others.
• The so-called "bruteforcing" of access to systems, except to the extent strictly necessary to demonstrate a serious security deficiency in this area, that is, if it is extraordinarily easy to use publicly available and readily affordable hardware and software to crack a password that could seriously compromise the system.
• Using social engineering.
• Disclosing or providing to third parties information about the security problem before the problem is resolved.
• Taking actions beyond what is strictly necessary to demonstrate and report the security problem. Particularly where this involves processing (including viewing or copying) confidential data to which you have had access due to the vulnerability. Instead of copying an entire database, you can normally suffice with, for example, a directory listing. Changing or deleting data in the system is never permitted.
• Using techniques that reduce the availability and/or usability of the system or services ((D)DoS attacks).
• Misusing the vulnerability in any (other) way.

What to expect

• If you meet all of the above Requirements , we will not file criminal charges against you or bring a civil case against you.
• If it turns out that you did violate any of the above conditions, we may still decide to take legal action against you.
• We treat a report confidentially and do not share a reporter's personal information with third parties without their permission, unless we are required to do so by law or court order.
• We may share the report received (always anonymously) with other provinces and the Information Security Service for Municipalities (IBD). In this way, we ensure that provinces and municipalities (through the IBD) share their experiences in this area.
• By mutual agreement, if you wish, we may include your name as the discoverer of the reported vulnerability. In all other cases, you will remain anonymous.
• We will send you an acknowledgment of receipt within 2 business days.
• We respond to a report within 1 week with an (initial) assessment of the report and possibly an expected date for resolution.
• We will resolve the security issue you reported as quickly as possible. We strive to keep you well informed of the progress and never take longer than 90 days to solve the problem. However, we are often partly dependent on suppliers.
• It can be mutually agreed whether and how to publish about the problem after it is resolved.