Responsible disclosure

Did you find a security problem in our systems?
Please let us know.

Every day, IT and security specialists are working hard to improve the security of our systems and safety of customer data. This does not mean that our systems are always completely flawless. Sometimes vulnerabilities may arise. If you come across such a vulnerability, please let us know. We’d love to work with you to keep our systems as secure as possible.

Please note that our responsible disclosure policy is not a permission to actively scan our systems to discover vulnerabilities. Doing so will be considered an illegal attempt to harm DELA.

 

Check out our Hall of Fame.

 

In scope

You can submit reports regarding security issues on DELA websites and services including, but not limited to:

  • The lack of a secure connection
  • Cross-Site Scripting (XSS) vulnerabilities
  • SQL injection vulnerabilities
  • Remote code execution

Out of scope

This Responsible Disclosure Policy is not meant for:

  • Reporting viruses
  • Reporting fake emails (phishing)
  • Report that one of our websites is unavailable
  • Reporting fraud

Exclusions

Please note that no reward is awarded when the vulnerability is already known or if the associated risk is acceptable. Examples of vulnerabilities that will not be rewarded.

  • HTTP 404 codes or other non-HTTP 200 codes
  • Unencrypted text in 404 pages
  • Lack of ‘secure’ / ‘HTTP Only’ flags on non-sensitive cookies
  • Using the HTTP OPTIONS Method
  • Lack of one or more HTTP Security Headers
  • Lack of SPF, DKIM and DMARC records
  • Lack of DNSSEC
  • Version banners on public services
  • Host Header Injection
  • Publicly accessible files and folders containing non-sensitive information
  • Clickjacking on pages without a login feature
  • Cross-site request forgery (CSRF) on forms that can be accessed anonymously
  • DDOS vulnerabilities
  • Rate limiting vulnerabilities with no significant impact
  • Issues with certificates or other SSL Configuration Issues

Rules of Engagement

Did you discover a weak spot? In most cases it will be sufficient enough to give us the IP address or URL. Please describe the vulnerability you found and the actions you took when you discovered it. In case of a complex problem, we may contact you for more information.

  • Please only share your findings with us and do not make them public, even if you feel it is taking a long time. Sometimes we need a little time to solve the problem.
  • Do not use automated tooling to detect security problems. Don’t abuse the problem or cause any damage: for example, don’t download more data than necessary to probe the leak, and never change or delete data. Be extra cautious when personal data is involved.
  • Do not publicly disclose any data.
  • Send us only (minimal) data necessary to demonstrate the problem, for example, make a directory listing or screenshot.
  • Do not post a backdoor to demonstrate a security problem; doing so could cause additional damage and create unnecessary security risks.
  • Do not share your findings with others until we let you know it has been resolved.

Perhaps you are doing something in your research that is not permitted by law. We will not report you if you do so in good faith, carefully and according to the rules above.

How to send in your report

We highly appreciate your help. Please encrypt your report with our PGP key and afterwards send your report to security[a]dela.org. Please note that we can only accept reports that are sent in either the Dutch or English language.

PGP key Send in report

What happens when you have send us your report?

A team of security experts will verify your submission and respond within three working days. Please give them the opportunity and time to investigate the issue thoroughly. We will only use your contact details for communication about the report and will not share them with others unless required to do so by law. If, for example, we notice that you are not acting in good faith and are doing something punishable we will report this to the police.

If you make your report anonymously, we cannot keep you informed and will not be able to reward you.

Reward conditions

DELA  highly appreciates your effort to help us in optimizing our systems and processes. In most circumstances you are eligible for a suitable award. Is it a severe security problem, and does it concern a problem we are not yet familiar with? Then we would like to thank you with one or more gift vouchers (to a maximum of €300) and eternal glory with a listing in our Hall of Fame. The decision whether to give a reward is entirely within our discretion. The height of the reward will be based on the risk and impact of the reported security problem.. 
Please note that no reward will be given when we conclude that there is no real security problem or if we consider the risk to be low or acceptable.  In case of multiple reports, the reward will go to the first reporter. 

In our Hall of Fame, listing can be done with your own name or with an alias. We can add a link to your LinkedIn or Twitter profile (no Facebook or Instagram).