Responsible disclosure

The security of our systems is important to us! Despite our best efforts, our systems may still have vulnerabilities. We’d greatly appreciate it if you could inform us in such cases, helping us to make our environment even more secure. On this page, we explain how you can do this. This process is known as responsible disclosure.

Werkplekken met computers en studenten

Prosecution

In some cases, your actions may technically be punishable under criminal law. However, if you follow the conditions outlined below, HAN will not take legal action against you. Please note that the Public Prosecution Service still retains the right to decide whether to initiate criminal proceedings.

Method

  • Email your findings to cert@han.nl
  • If you include sensitive or personal data, please encrypt your email;
  • Provide enough information for us to reproduce the vulnerability. For example:
    • steps or commands executed;
    • screenshots;
    • If relevant, ensure as much as possible that your report enables us to reproduce the vulnerability ourselves.
  • Limit your actions to what is strictly necessary to demonstrate the vulnerability:
    • Do not download more data than needed.
    • Do not modify or delete data.
    • Avoid actions that could damage systems or put people at risk.
    • Handle personal data with extra care.
  • Do not use the following:
    • attacks on physical security or third-party applications
    • social engineering
    • distributed denial-of-service (DDOS)
    • spam
    • phishing
  • Do not share details of the vulnerability until we confirm it has been resolved.
  • Keep proportionality in mind:
    • If you want to demonstrate that a vulnerability makes it possible to change data (e.g. on our website); do so by making a subtle, harmless change.
    • If you can access a database, avoid a full dump. A simple select statement with trivial data is sufficient.
  • Please delete any data you’ve downloaded once the vulnerability has been addressed or if we request it. Never share this data.
  • Our responsible disclosure policy is not an invitation to automatically scan our network; we monitor and scan our own infrastructure. Your scan will be detected and examined, causing unnecessary work and costs.

What we do

  • We will respond within 5 business days with our review and an estimated resolution timeline.
  • Your report will be treated confidentially. We will not share your personal information with third parties unless legally required to do so.
  • We will keep you informed of the progress.
  • If you wish, we will credit you by name in any public communication regarding the vulnerability.
  • If you are the first to report a specific vulnerability:
    • We will offer a reward based on the severity of the vulnerability, the magnitude of the risk, and the quality of your report.
    • This may range from a simple thank you to a small gift.

What you don't need to report

  • HTTP 404 codes/pages or other HTTP non-200 codes/pages and content spoofing/text injection on these pages;
  • fingerprinting/version listing on public services;
  • public files or directories with non-sensitive information (e.g., robots.txt);
  • clickjacking and problems that require clickjacking to exploit;
  • missing secure/HTTP-only flags on non-sensitive cookies;
  • use of OPTIONS HTTP method;
  • issues related to HTTP security headers, such as:
    • Strict-Transport-Security;
    • X-Frame-Options;
    • X-XSS-Protection;
    • X-Content-Type-Options;
    • Content-Security-Policy;
  • SSL configuration issues, such as:
    • SSL Forward secrecy not enabled;
    • use of weak/insecure cipher suites;
  • issues with SPF, DKIM or DMARC;
  • host header injection;
  • reports of outdated software without a proof of concept of a working exploit;
  • information exposure in metadata;

Questions?

Contact us at cert@han.nl