Data leak, vulnerability, or abuse of our computer systems? Please report it
The Tax Authorities strive to ensure the highest possible level of security. We apply the highest level of security to safeguard the information entrusted to us, so that everyone's privacy is and remains guaranteed. However, unsafe situations may still occur despite all our best efforts and due diligence.
The following subjects are discussed below:
- Report misuse of our network
- Report other security threats
- Coordinated Vulnerability Disclosure
- (Rules relating to reporting vulnerabilities in our computer programs)
Reporting malicious and phishing e-mails. Have you received a suspect or malicious e-mail (phishing e-mail)?
Go to: Reporting malicious and phishing e-mails.
Report misuse of our network
Have you noticed that our software systems (Tax Authority, Excise or Customs) are being misused, for example, because you have received suspect e-mail or messages? Report this to us on: firstname.lastname@example.org (use this e-mail address for this type of report only).
Would you like to submit a report securely? Then use our PGP-key (KeyID: 41C52C68, Fingerprint: 13CE C915 71C6 B96F E7E0 AC20 9E38 A2B8 41C5 2C68).
Reporting other security threats
Would you like to report other urgent security threats, which must be reported immediately in the general interests of, for example, the Tax Authorities, Customs, the Netherlands and/or the European Union? Then please contact the Security Operations Centre (SOC) of the Tax Authorities as quickly as possible. The SOC is available 7 days a week and 24 hours a day via: email@example.com (use this e-mail address for this type of report only). Would you like to submit your report securely? Then use our PGP-key (KeyID: 57E4437D, Fingerprint: A986 4C97 415E D83E 725F 7676 5186 CB19 57E4 437D)
For less urgent security threats, please contact the Tax Information Line.
More information on using the internet safely
For more information on using the internet safely, please go to:
- For citizens and SMEs: www.veiliginternetten.nl (only available in Dutch)
- For professionals: www.ncsc.nl/english
National Cyber Security Centre (NCSC) of the Ministry of Justice and Security.
For all e-mail addresses on this page: only use them for this type of report
The e-mail addresses on this page are only intended to inform us of what you noted and know about the issue indicated for that e-mail address. Are you reporting something else to one of the e-mail addresses on this page? Then your e-mail will not be processed. The message in your e-mail will not be recorded in our records.
Coordinated Vulnerability Disclosure
Finding a weak spot in one of our systems is not inconceivable. Have you found a weak spot? Then you can report it according to the following arrangements. You may hold the Tax Authorities to this policy within the scope of Coordinated Vulnerability Disclosure (CVD).
Vulnerabilities in the Tax Authorities' ICT systems
Please inform us immediately of any vulnerability you may find in the Tax Authorities' ICT systems, so that we can take the necessary measures as soon as possible. Your cooperation in improving the security of our ICT systems is always greatly appreciated.
We ask you:
- to inform us of the vulnerability immediately after discovering it.
- to send us your findings by e-mail: firstname.lastname@example.org (use for this type of report only)
If possible, encrypt your findings with our PGP-key (KeyID: 57E4437D, Fingerprint: A986 4C97 415E D83E 725F 7676 5186 CB19 57E4 437D) to prevent information from falling into the wrong hands.
- provide sufficient information to be able to reproduce the problem, so that we can rectify this as quickly as possible.
In most cases, the IP address or the URL of the system affected and a description of the vulnerability are sufficient, but more information may be required for more complex vulnerabilities.
- leave your contact details so that our Security Operations Centre can contact you in order to jointly find a safe solution.
Leave at least an e-mail address or telephone number.
- do not share the information regarding the security problem with other people until we have solved it.
- handle the information regarding the security problem responsibly by not performing any actions that go further than necessary to demonstrate the security problem.
- realize that any information in the systems of the Tax Authorities falls under the (fiscal) duty of confidentiality and that further dissemination of the said information is a punishable offence.
In all events, avoid the following:
- copying, changing or deleting information or configurations of a system (or alternatively making a directory listing or a screenshot)
- using so-called 'brute force' to gain access to systems
- using denial-of-service attacks or social engineering
You can expect the following from us:
- If your report satisfies the aforementioned conditions, we will not attach any legal consequences to this report. We will deal with your report strictly confidentially and will not share any of your personal details with third parties without first obtaining your permission, unless this is mandatory by virtue of the law or a court decision
- We will send you a confirmation of receipt within 1 working day
- We will respond to your report with our opinion and an expected solution date within 5 working days
- We will keep you informed about the progress made. We will rectify the security problem you detected in our system within a reasonable period of time. In mutual consultation, we will determine when and in what way this will be published
- If you desire, we can name you as the discoverer of the reported vulnerability
- And as thanks for your help, we offer a playful reward for each report of a serious security problem of which we are unaware. However, this reward will never be a cash reward.
This text was compiled as a supplement to the guideline of the National Cyber Security Centrum.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
Examples of cup-worthy reports:
- Cross-Site Scripting vulnerabilities (except self-XSS)
- SQLi and command injections
- Authentication Bypass, Unauthorized data access
- Server-Side Request Forgery
- Access to PII data
- Authentication vulnerabilities
- Directory Traversal
- Credential leaks
Examples of thank-you-letter-worthy notifications:
- HTTP Host Header Injection
- SPF / DKIM errors
- Social Engineering
- Denial of Service
- Attacks on physical property of the tax authorities
- Username enumeration
- Vulnerabilities using stolen credentials
- Vulnerabilities that only apply to outdated software / browsers
- Scanner output or scanner reports
All reports are checked by our team and it is possible that the final reward (swag) deviates from the examples mentioned. If you have a report that is not listed here, it is always welcome and our team will check to what extent your report is handled.