Responsible disclosure (English version)

At the Municipality of Moerdijk, we consider the security of our systems very important. Despite our concern for the security of our systems, it is possible that there is still a weakness.

At the Municipality of Moerdijk, we consider the security of our systems very important. Despite our concern for the security of our systems, it is possible that there is still a weakness.

If you have found a weak spot in one of our systems, please let us know so that we can take measures as soon as possible. We would like to work with you to better protect our customers and our systems.

Attention! Not all vulnerability reports will be processed. Click here for a list of vulnerabilities that are in-scope and out of scope of our policy:

We ask you:

  • Please send us your report via this link. Do not forget to mention your contact details (email address and / or telephone number) and mention that it concerns a vulnerability at the municipality of Moerdijk.
  • Do not abuse the problem by, for example, downloading more data than is necessary to demonstrate the leak of third party data, view, delete or modify it.
  • Clear all confidential data obtained through the breach immediately upon reporting the breach.
  • Do not use attacks on physical security, social engineering, spam, brute force or third party applications. The municipality also asks you not to use techniques that reduce the availability and / or usability of the service system.
  • Do not post, send, upload, link to, send or store malicious software.
  • Do not test what would result in sending spam or other unsolicited messages.
  • Do not perform automatic scans without first talking to us.
  • Do not test in a way that would compromise the operation of the solutions we use.
  • Do not make a vulnerability public within 30 days of the vulnerability being resolved by us and not without our explicit written permission. Don't include sensitive data in the revealed vulnerability.
  • Provide us with sufficient information to reproduce the problem so that we can resolve it as soon as possible. Usually, the IP address of the affected system URL and a description of the vulnerability with an error message is sufficient, but more complex vulnerabilities may require more.

What we promise:

  • We will respond to your report within 5 business days with our assessment of the report.
  • If you have complied with the aforementioned terms and conditions, the municipality will not take legal action against you regarding the notification.
  • Your report will be treated confidentially and your personal data will not be shared with third parties without your permission, unless the municipality is obliged to do so by law or court order. Reporting under a pseudonym is possible.
  • The security vulnerability you reported will be resolved as soon as possible. In this, the municipality is often co-dependent on external parties. The municipality will keep you informed of the progress.
  • Whether and how the problem is published after it has been solved is determined in mutual consultation and in consultation with the Municipal Information Security Service. If you wish, the municipality will state your name as discoverer of the vulnerability found in the 'Wall of Fame' on its own website.
  • We can offer you a reward as a thanks you for your help. Whether you receive a reward and the size or form of the reward depends on the severity of the vulnerability and the quality of the report. The municipality therefore evaluates each valid report.

Legal aspects

By submitting a report to the municipality of Moerdijk, you acknowledge that you have read and agree to the above conditions. You also warrant that you are the finder of the submission, and you hereby grant us permission to use, reproduce, copy, modify and otherwise delete your submission in any manner that we deem necessary.

You agree that you will not use this disclosure for marketing or financing purposes, as a reference in any personal or professional presentation or in documentation or other material;

In addition, you will not use the the name or the logo of the municipality of Moerdijk in any way of online or physical communication, regarding this vulnerability under Responsible Disclosure.

This contents of this policy is partly inspired by and partly taken from the example on responsibledisclosure.nl.