Coordinated Vulnerability Disclosure

Our dependence on digital infrastructure is ever increasing. This applies to society as a whole, but also to ourselves. It is therefore our opinion that governments and organizations (including ours) should strongly commit to securing our digital infrastructure. We do realize that, in spite of our best intentions and greatest care, vulnerabilities may exist in our systems. If you do happen to find one of these weaknesses, we would love to hear from you so we can resolve the issue.

We ask you:

  • When you are investigating one of our systems, bear in mind the proportionality of the attack. There is no need to demonstrate that when you subject our website to the largest DDos-attack in the history of the internet, the site may become unreachable. We know that. We also understand that if you drive a bulldozer into our office, you will probably be able to snatch one of our laptops.
  • This principle of proportionality is also relevant when demonstrating the vulnerability itself. You should not inspect or modify more data than strictly necessary in order to confirm the validity of your finding. For instance, if you are able to modify our homepage, just add a single non-controversial word to it instead of taking over the entire page. If you can obtain access to a database, it suffices to show us a list of the tables that are in there, or perhaps the first record in one of these tables.
  • A vulnerability in one of our systems should be reported as soon as possible by sending an email to
  • You will not share your knowledge of the vulnerability with other parties as long as we have not addressed the issue and we are still within a reasonable timeframe since you reported the issue.
  • You will delete all confidential information you have obtained during your investigation as soon as we have resolved the vulnerability.

What we promise you:

  • We will respond to your report within three business days in a detailed manner. We will include an estimate of the time we will require to address the issue. Of course, we will regularly keep you posted on our progress.
  • We will resolve the vulnerability as soon as possible. Here too, proportionality is important: the amount of time required to fix a vulnerability depends on several factors, among which the severity and the complexity of the issue at hand.
  • Please provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
  • When you follow the guidelines that are laid out here, we will not take legal action against you regarding your report.
  • It is important to us to credit you for what you did - if you wish. We will mention your name in a publication regarding the vulnerability only if you agree to this.
  • As a thank you for helping us in better protecting our systems, we would like to reward every report of a vulnerability that was unknown to us at the time. The reward will depend on the severity of the vulnerability and the quality of the report.
  • Should you find a vulnerability in third party software that we use and that vulnerability is covered by a bug bounty program, we will not try to claim this bounty; you should.
Door op "Accepteren" te klikken, gaat u akkoord met het opslaan van cookies op uw apparaat om sitenavigatie te verbeteren, sitegebruik te analyseren en te helpen bij onze marketinginspanningen. Bekijk ons privacybeleid voor meer informatie.