Responsible disclosure

Have you discovered a security flaw in an ICT system belonging to central government? Please notify us before informing the outside world, so that we can first take action. Doing so is called ‘responsible disclosure’.

What to do:

  • Report a vulnerability via a CVD-report form to the National Cyber Security Centre (NCSC).
  • Give enough detail to enable us to reproduce the flaw so that it can be remedied as soon as possible. The computer’s IP address or ICT system’s URL and a description of the security flaw is usually sufficient. The more complicated the flaw, the more detail we will require.
  • Leave your contact details so that we can contact you later. At least an email address or telephone number.
  • Report the flaw as soon as possible after discovering it.
  • Do not share any information about the flaw with others until it has been remedied.
  • Deal responsibly with the information in your possession. Do nothing beyond what is necessary to demonstrate the security flaw.

What not to do:

  • Send malware;
  • Copy, change, or delete data in the ICT system concerned (as an alternative, you can create a directory listing of the system);.
  • Change the system;
  • Repeatedly visit the system or share access with others;
  • Use ‘brute force’ to open the system;
  • Try denial of service or social engineering.

What to expect:

  • When you report the security flaw, check that you comply with the conditions described above. If you do so, the government will not attach any legal consequences to your notification.
  • The government treats the notifications it receives confidentially. It will not share your personal details with third parties without your permission unless required to do so by law or a court order.
  • The government can, if you wish, mention your name as the one who discovered the security flaw.
  • The government will send you an acknowledgement of receipt within one working day.
  • The government will respond to your notification within three working days. Its response will contain an assessment of your notification and the date on which it expects to remedy the flaw.
  • The government will keep you – as the one who discovered the flaw – informed of the progress made in remedying it.
  • The government will remedy the flaw as soon as possible, certainly no later than 60 days after receiving the notification. The government will work with you to determine whether and, if so, how the flaw reported is to be made public. It will not be made public until after it has been remedied.
  • The government will give you a reward as acknowledgement of your assistance.

Vulnerability of ICT systems outside central government

If you discover a security flaw in another government body (such as a municipality or province) or in an organisation with a vital function (such as an energy or telecoms company), please contact the body or organisation first. If you receive no response, please notify the National Cyber Security Centre, which will mediate between you and the body or organisation concerned.