Coordinated Vulnerability Disclosure (CVD)

At UG, we give utmost importance to the safety of systems. However, there can be weak points in systems despite the care we take regarding security. You can report these vulnerabilities to us.

Collaboration

If you have found a weakness, we would like to hear about it so that we can take appropriate measures as quickly as possible. We are keen to cooperate with you to protect users and systems better.

Not an invitation to actively scan

Our so-called Responsible Disclosure Policy is not an invitation to actively scan our network or our systems for weaknesses. We monitor our company network. Therefore, we are likely to pick up your scan, which our Computer Emergency Response Team (CERT) will investigate, and which will possibly lead to unnecessary costs.

Judicial prosecution

During your investigation it could be possible that you take actions that are prohibited by law. If you follow the conditions given in this agreement, we will not take legal action against you. However, the Public Prosecutor always has the right to decide whether or not to prosecute you.

Report your findings

Request to you

Please mail your findings as soon as possible to cert rug.nl. Encrypt your findings with our PGP key to prevent the information from falling into the wrong hands.
Do not abuse the found vulnerability, for example:

downloading more data than necessary

changing or removing data
Be extra cautious with personal data
Do not share the vulnerability with others until it is resolved
Do not test the physical security or third-party application, social engineering techniques (distributed) denial-of-service, malware, or spam.
Describe the issue found as explicitly and in detail as possible, and provide any evidence you might have. Be assured that your notifications will be received by specialists.
Do provide sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability is sufficient, but complex vulnerabilities may require further explanation.

What we promise

We will respond to your report within 5 business days with our evaluation of the report and an expected resolution date.
We will keep your report anonymous and will not pass on your personal details to third parties without your permission, unless the law requires us to provide your personal information.
We will keep you informed of the progress towards resolving the problem.
You can report anonymously or under a pseudonym. In this case, however, we will not be able to contact you for things such as follow-up steps, progress of resolving the issue, publication or any reward for reporting.
If you wish, we will mention your name as a vulnerability discoverer in the weakness report.
We may give you a reward for your research but are not obliged to do so. You are, therefore, not automatically entitled to a reimbursement. The form of this reward is not fixed in advance and is determined by us on a case-by-case basis. Whether to give a reward and in which form depends on the care taken in your investigation, the quality of the report and the seriousness of the leak.
We strive to solve all problems as quickly as possible and keep all parties involved informed. We will be glad to be involved in any publication about the weakness after it has been resolved.

Out of Scope

Out of scope

UG does not reward trivial vulnerabilities or bugs that cannot be abused. The following are examples of known and accepted vulnerabilities and risks that are outside the scope of the responsible disclosure policy:

HTTP 404 codes/pages or other HTTP non-200 codes/pages and Content Spoofing/Text Injection on these pages.
fingerprint version banner disclosure on common/public services.
disclosure of known public files or directories or non-sensitive information, (e.g. robots.txt).
clickjacking and issues only exploitable through clickjacking.
lack of Secure/HTTPOnly flags on non-sensitive Cookies.
OPTIONS HTTP method enabled.
anything related to HTTP security headers, e.g.:

Strict-Transport-Security.

X-Frame-Options.
- X-XSS-Protection.
- X-Content-Type-Options.
- Content-Security-Policy.
SSL Configuration Issues:

SSL forward secrecy not enabled.

weak / insecure cipher suites.
SPF, DKIM, DMARC issues.
host header injection.
reporting older versions of any software without proof of concept or working exploit.
information leakage in metadata.

CVD Hall of Fame

We would like to thank everyone who has reported a vulnerability. The first person to validly report an unknown vulnerability on cert@rug.nl will be inducted into the Hall of Fame.

UG thanks the following individuals for their responsible disclosure reports:

Sergen Koç (Linkedin)
Kartikey Aggarwal (CVOP)
Mayank Mukhi
Abhith Damodaran (X)
Gaurang Maheta (LinkedIn)
Anne Willem Huitema
Raju Basak (LinkedIn)
Floris van Trier (LinkedIn)
Vijay Sutar (LinkedIn)
Yathavan Seyavan (LinkedIn)
Nitya Nand Jha (Shunux) (LinkedIn)
Aashutosh Devkota
Milan Prakash (LinkedIn)
Aashutosh Devkota (LinkedIn)
Ciphershade (Gaurav Shukla) (LinkedIn)
Ahmad Alassaf (LinkedIn)
Raghav Sharma (LinkedIn)
Nilesh Agrawal Koyo (LinkedIn)
Sahil Nagmote (LinkedIn)

_{(Hall of Fame started 31-10-2023)}

Last modified:

08 November 2024 1.07 p.m.

View this page in: Nederlands