GBLT finds the security of its systems of great importance
Despite all precautions, it is still possible that a weak spot (vulnerability) exsists in the systems. Have you discovered such a vulnerability in mijnloket.gblt.nl? Please let us know by reporting this to GBLT. So we can investigate the issue and resolve it as soon as possible. This allows GBLT to protect its data and systems better. This way of working together is called the Coordinated Vulnerability Disclosure (CVD).
We ask you do the following:
- Send your findings by e-mail to security@gblt.nl (with proof preferably via PGP);
- Please provide enough information so that we can reproduce the problem and fix it. Always include the IP address or URL of the affected system and a description of the vulnerability. For more complex vulnerabilities we would like to receive extra information and more details;
- Please feel free to provide us with recommendations to help solve the problem. Please limit your advice to verifiable factual information that relates to the vulnerability you have found. Avoid advice that amounts to advertising for specific (security) products;
- We request that you submit the report as soon as possible after the discovery of the vulnerability;
- Do not take the problem public or share it with others. GBLT needs time to take appropriate measures to resolve the weakness. Even if it proves impossible to adequately resolve the problem, we stress to not take the vulnrability public or share it with others;
- Wipe any (confidential) data obtained as soon as possible;
- Leave your contact information so that we can contact you to work together to achieve a secure outcome. Please leave at least one email address or phone number. You are free to remain anonymous when doing so.
The following actions are not permitted:
- Placing malware on our systems;
- So-called "bruteforcing" of access to systems;
- Using social engineering;
- Using tooling that may cause nuisance to GBLT;
- Disclosing or providing information about the security vulnerability to third parties before the issue is resolved.
- Taking actions that go beyond what is strictly necessary to demonstrate and report the security issue. In particular when it comes to processing (including viewing or copying) confidential data to which you have had access due to the vulnerability. Instead of copying a complete database, you can usually suffice with, for example, a directory listing;
- Changing or deleting data in the system is never allowed;
- Using techniques that reduce the availability and/or usability of the system or services (DoS attacks);
- Abusing the vulnerability in any (other) way.
What you can expect:
- If you meet all the above conditions, we will not file a criminal complaint against you, nor will we bring a civil lawsuit against you;
- If it turns out that you have violated one of the above conditions, we can still decide to take legal action against you;
- We will send you an (automatic) confirmation of receipt within 1 working day;
- We will respond to a report as soon as possible with an (initial) assessment of the report and possibly an expected date for a solution;
- We will resolve the security issue you reported as soon as possible. We strive to keep you well informed of the progress and never take more than 90 days to solve the problem. We are often partly dependent on suppliers;
- We do not pay any public attention to reports. Only if there is a reporting obligation (data breaches) and the law prescribes this. The reporter can remain anonymous. We can, however, share the report with the Information Security Service for Municipalities (IBD). In this way we ensure that organizations affiliated with the IBD share their experiences in this area with each other;
- We can offer a reward as gratitude for your help. Depending on the severity of the vulnerability and the quality of the report, the reward can range from a simple "thank you" to a financial reward. However, this must concern an high-risk security problem within mijnloket.gblt.nl which is still unknown.