Responsible disclosure

If you have found a weak spot in one of the ICT systems of the KNB, the KNB would like to hear about this from you, so the necessary measures can be taken as quickly as possible to rectify the vulnerability. To deal with the vulnerabilities in the KNB ICT systems responsibly, we propose several agreements. You may hold the KNB to this when you discover a weak spot in one of our systems.

The KNB asks you:

  • To e-mail your findings to responsible-disclosure@knb.nl. Encrypt your findings if possible to prevent the information falling into the wrong hands.
  • Provide sufficient information to reproduce the problem so that the KNB can solve the problem as quickly as possible. The IP address or the URL of the system affected and a description of the vulnerability is usually sufficient, but more may be needed for more complex vulnerabilities.
  • Leave your contact details so that the KNB can contact you to cooperate on a safe result. At least, leave an e-mail address or a telephone number.
  • Report the vulnerability as quickly as possible after its discovery.
  • Not to share the information on the security problem with others until the problem has been solved.
  • Not to abuse the weakness, for example: do not download more data then needed.
  • Handle the knowledge on the security problem with care by not performing any acts other than those necessary to reveal the security problem.
  • To avoid the following acts, installing malware, copying, changing or deleting data in a system (an alternative to this is making a directory listing of a system), making changes to a system, repeatedly accessing the system or sharing access with others, using so-called “brute force” to access systems, using denial-of-service or social engineering.

What you can expect:

  • If you comply with the conditions above when reporting the observed vulnerability in an ICT system of the KNB, the KNB will not attach any legal consequences to this report.
  • The KNB handles a report confidentially and does not share personal details with third parties without permission from the reporter, unless this is mandatory by virtue of a judicial decision.
  • In mutual consultation, the KNB can, if you desire, mention your name as the discoverer of the reported vulnerability.
  • The KNB responds within three working days to a report with an assessment of the report and an expected date for a solution.
  • The KNB keeps the reporter up-to-date on the progress made with solving the problem.
  • As a show of gratitude the KNB offers a reward for reporting any serious problem that is unknown to KNB. The reward can vary, depending on the seriousness of the security problem and the quality of the report.

The KNB tries to solve the security problems observed by you in a system as quickly as possible. In mutual consultation, whether and in what way the problem will be published, after it has been solved, is determined.

Hall of fame