Responsible disclosure

We attach great importance to the security of our systems and the data (privacy) of our residents. Despite all precautions, it remains possible that a weak spot in the systems may be found. This could cause systems to fail or data to be altered by persons who are not authorized to do so. 

Explanation Responsible disclosure

Responsible disclosure means organisation ICT vulnerabilities in a responsible manner and in collaboration between the reporter and organisation . Anyone can submit a responsible disclosure report to a company, government agency, or organisation.

Report 

If you discover a vulnerability in one of our systems, we ask you to report it so that we can take appropriate measures quickly. By reporting a vulnerability, you agree to the terms and conditions below regarding responsible disclosure, and Waterschap Noorderzijlvest will handle your report in accordance with these terms and conditions.

We ask the following of you

  • If you find a vulnerability in one of our systems, please report it as soon as possible via the email address servicedesk@noorderzijlvest.nl.
  • Provide sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability are sufficient.
  • You can also give us tips that will help us solve the problem.
  • Limit yourself to verifiable facts relating to the vulnerability you have identified.
  • Always leave an email address or phone number so that we can contact you to work together on a safe result.

The following actions are not permitted

  • Placing malware, neither on our systems nor on those of others.
  • Brute-forcing access to systems, except where strictly necessary to demonstrate that security in this area is seriously inadequate.
  • Using denial of service or social engineering, except where strictly necessary, to demonstrate that employees with access to sensitive data are (seriously) failing in their duty to handle it with care.
  • Disclosing or providing information about the security issue to third parties before it has been resolved. Or sharing access with others.
  • Performing actions that go beyond what is strictly necessary to demonstrate and report the security issue. Do not copy, modify, or delete data from the system, and do not make any changes to the system.
  • Using techniques that reduce the availability and/or usability of the system or services (DoS attacks).
  • Abusing the vulnerability in any other way (whatever that may be).

What can you water authority from the water authority ?

  • We treat reports confidentially. We do not share personal data of a reporter with third parties without their consent, unless we are required to do so by law or court order.
  • You will receive confirmation of receipt within 3 business days.
  • We will respond to a report within seven business days with an initial assessment of the report. We will also indicate the expected date for a solution.
  • We will resolve the reported security issue as quickly as possible. We will strive to keep you well informed of the progress. The aim is to never take longer than 60 days to resolve the issue in systems (software). For issues in equipment (hardware), we will take a maximum of 6 months.
  • You will be notified of our assessment of the report and the further steps that will be taken.
  • If you meet all of the above conditions, the water authority will water authority file a criminal complaint. Nor water authority the water authority initiate civil proceedings.
  • A fitting gesture as a sign of our gratitude.