Coordinated Vulnerability Disclosure
Are you reporting a vulnerability in one of the systems of Belastingdienst, Customs or Toeslagen? Please do so before you share it with others. This will allow us to take measures first. This is referred to as 'Coordinated Vulnerability Disclosure' (CVD).
Points to consider when reporting a vulnerability (CVD)
We ask you:
- to inform us of the vulnerability immediately after discovering it.
- to send us your findings by e-mail: email@example.com, firstname.lastname@example.org of email@example.com (use for this type of report only)
If possible, encrypt your findings with our PGP-key (KeyID: 71cd8e09, Fingerprint: 06c4 83ef 1c63 93de f281 97b7 17b3 7108 71cd 8e09) to prevent information from falling into the wrong hands.
- provide sufficient information to be able to reproduce the problem, so that we can rectify this as quickly as possible.
In most cases, the IP address or the URL of the system affected and a description of the vulnerability are sufficient, but more information may be required for more complex vulnerabilities.
- leave your contact details so that our Security Operations Centre can contact you in order to jointly find a safe solution.
Leave at least an e-mail address or telephone number.
- do not share the information regarding the security problem with other people until we have solved it.
- handle the information regarding the security problem responsibly by not performing any actions that go further than necessary to demonstrate the security problem.
- realize that any information in our systems falls under the (fiscal) duty of confidentiality and that further dissemination of the said information is a punishable offence.
In all events, avoid the following:
- installing malware
- copying, changing or deleting information or configurations of a system (or alternatively making a directory listing or a screenshot)
- using so-called 'brute force' to gain access to systems
- using denial-of-service attacks or social engineering
You can expect the following from us:
- If your report satisfies the aforementioned conditions, we will not attach any legal consequences to this report. We will deal with your report strictly confidentially and will not share any of your personal details with third parties without first obtaining your permission, unless this is mandatory by virtue of the law or a court decision
- We will send you a confirmation of receipt within 1 working day
- We will respond to your report with our opinion and an expected solution date within 5 working days
- We will keep you informed about the progress made. We will rectify the security problem you detected in our system within a reasonable period of time. In mutual consultation, we will determine when and in what way this will be published
- If you desire, we can name you as the discoverer of the reported vulnerability
- And as thanks for your help, we offer a playful reward for each report of a serious security problem of which we are unaware. However, this reward will never be a cash reward.
This text was compiled as a supplement to 'Coordinated Vulnerability Disclosure: the Guideline' of National Cyber Security Centre (NCSC).
A valuable report deserves a reward
Is the vulnerability still unknown in our opinion and does it constitute a serious security problem? Then we will give you a reward (swag).
Examples of cup-worthy reports:
- Cross-Site Scripting vulnerabilities (except self-XSS)
- SQLi and command injections
- Authentication Bypass, Unauthorized data access
- Server-Side Request Forgery
- Access to PII data
- Authentication vulnerabilities
- Directory Traversal
- Credential leaks
- Username enumeration without using brute-force methods
Examples of thank-you-letter-worthy notifications:
- HTTP Host Header Injection
- SPF / DKIM errors
- Social Engineering
- Denial of Service
- Attacks on physical property of the tax authorities
- Username enumeration by using brute-force methods
- Vulnerabilities using stolen credentials
- Vulnerabilities that only apply to outdated software / browsers
- Scanner outputs or scanner reports without a proof of concept showing that vulnerabilities can be exploited
All reports are checked by our team and it is possible that the final reward (swag) deviates from the examples mentioned. If you have a report that is not listed here, it is always welcome and our team will check to what extent your report is handled.
Hall of Fame
In the event you submit a report that we judge to be worth a trophy or a letter of thanks, you will also get a place in our 'Hall of Fame'. Of course, we will ask you first if that is something you want.
- Go to 'Hall of Fame – CVD the Netherlands Tax Administration' to see who has already been awarded
- This work is licensed under a 'Creative Commons Attribution-ShareAlike 3.0 Unported License'