Coordinated Vulnerability Disclosure

At School-CERT for basic education, we find the safety of our own systems particularly important. Despite our attention to the security of our systems, it is possible that there is a vulnerability. You can report these vulnerabilities to us.

Collaboration

If you find a vulnerability in one of our systems, we would appreciate it if you let us know. We can then take measures as quickly as possible. We are happy to work with you to better protect our users and systems. This also applies to the systems of Dutch primary and secondary schools, as well as any (ICT) suppliers or service providers for education.

Judicial prosecution

During your investigation it could be possible that you took actions that are prohibited by law. If you follow the conditions given in this agreement, we will not take legal action against you. However, the Public Prosecutor always has the right to decide whether or not to prosecute you.

Our request to you:

• Please ensure that your report is within scope. At the bottom of this page, you can verify what is considered out of scope.
• Submit findings via e-mail (cvd@kennisnet.nl). Encrypt your findings using our PGP-key to prevent information from falling into the wrong hands.
• Do not misuse the vulnerability you discovered, such as downloading more data than necessary to demonstrate the flaw or accessing, modifying, or deleting personal data of third parties.
• Do not share information on vulnerabilities until they have been resolved and erase any obtained data as soon as the problem is solved.
• Do not test the physical security or third-party application, social engineering techniques (distributed) denial-of-service, malware, or spam.
• Do provide sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability is sufficient, but complex vulnerabilities may require further explanation.

What we promise

• We will send you confirmation of receipt and will respond within five working days with an evaluation of your report and an expected resolution date.
• If you comply with our Coordinated Vulnerability Disclosure policy, we have no reason to take legal action against you.
• We will keep your report anonymous and will not pass on your personal details to third parties without your permission, unless the law requires us to provide your personal information.
• Reporting under a pseudonym is possible.
• We will keep you informed of the progress towards resolving the problem.
• If you wish, we will mention your name as a vulnerability discoverer in the weakness report.
• We strive to solve all problems as quickly as possible and keep all parties involved informed. We would like to be involved in any publication about the weakness after it has been resolved.

With thanks to Floor Terra for his sample text in Dutch on responsibledisclosure.nl.

Out of scope

• HTTP 404 codes/pages or other HTTP non-200 codes/pages and Content Spoofing/Text Injection on these pages.
• Fingerprint version banner disclosure on common/public services.
• Disclosure of known public files or directories or non-sensitive information, (e.g., robots.txt).
• Clickjacking and issues only exploitable through clickjacking.
• Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
• OPTIONS HTTP method enabled.
• Anything related to HTTP security headers, e.g.:
  • Strict-Transport-Security.
  • X-Frame-Options.
  • X-XSS-Protection.
  • X-Content-Type-Options.
  • Content-Security-Policy.
• SSL Configuration Issues:
  • SSL forward secrecy not enabled.
• Weak / insecure cipher suites.
• SPF, DKIM, DMARC issues.
• Host header injection.
• Reporting older versions of any software without proof of concept or working exploit.
• Information leakage in metadata.