Responsible disclosure

At Waterschap Rijn en IJssel, we consider the security of our systems, and the data contained on those systems, very important. You can help us with this.

Despite the fact that we continuously work to maintain and improve this security, it can still happen that vulnerabilities occur in our systems. If you have discovered such a vulnerability in our systems, we would of course like to hear about it so that we can take measures to make our systems secure again as quickly as possible.

We ask you:

Email your findings to CERT-WM in encrypted form. You can use PGP for this, or a secure 7zip file. CERT-WM contact information: e-mail: cert@hetwaterschapshuis.nl.
Do not abuse the vulnerability by downloading, changing or deleting data.
Not to share the vulnerability with others until it is resolved and delete any confidential data you may have obtained.
Not use physical security attacks, social engineering, distributed denial of service, spam or third-party applications.
Provide sufficient information to reproduce the problem so that we can resolve it as soon as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be required for more complex vulnerabilities.
From us you can expect:

That we will send a confirmation of receipt of your report within 3 business days.
Within 30 days we will respond substantively to your report with our assessment of the report and an expected date for resolution.
That, regarding the report, we will not take any legal action against you if you have complied with the above conditions. That we will keep your report confidential and will not share your personal information with third parties without your consent unless necessary to comply with a legal obligation.
That we will keep you informed of the progress of resolving the problem.
That we will include your name as the discoverer in communications about the reported problem, if you wish.
As thanks for your help, we will offer you an appropriate reward for each report of a security problem on our systems that is still unknown to us. We will determine the nature and size of the reward based on the severity of the leak and the quality of the report.
We strive to resolve all problems as quickly as possible and are happy to be involved in any publication about the problem after it is resolved.