Corona-update: alles over voorlichtingen, sollicitaties en keuringen

Lees meer

Werken bij Defensie

Responsible disclosure

Zie Nederlandse versie

Responsible disclosure

Optimizing safety when it comes to the ICT systems is a top priority for the Dutch Ministry of Defense. However, as such systems remain vulnerable, possible loopholes and weaknesses cannot be eliminated. 

Hence, we would love to hear from you if you have found a weakness in one of our ICT systems. We will handle the safety issues accordingly, and therefore we make use of the following policy: 

What we ask of you:

  • To email your findings to sysop@werkenbijdefensie.nl. If possible, encrypt the email with the PGP-key of sysop@werkenbijdefensie.nl. This will prevent the wrong people benefitting from the information.
  • To provide enough information to reproduce the safety issue, ensuring that the Dutch Ministry of Defense can solve the problem quickly. More often than not, the IP-address or the URL of the ICT system and a description of the shortcoming(s) will be enough. However, when it is a more complex problem, an elaborate description could be necessary. 
  • To provide your contact details, either an email address or a phone number, so the Dutch Ministry of Defense can contact you. 
  • To not share the information regarding the safety issue until it has been solved.
  • To act responsibly and accordingly by not executing more than necessary actions required for the identification of the safety issue. 

Please do report:

  • Persistent Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF/XSRF)
  • Broken Authentication
  • Circumvention of our framework's privacy and permission models
  • Remote Code Execution

Please do not report:

  • Username dictionairy attack
  • Self-XSS
  • Missing / loosely configured DNS SPF / DMARC records
  • Social hacking
  • Publicly accessible login pages for cms/admin area's
  • Security vulnerabilities in third-party applications (like Kerio) that are not patched in the latest version
  • Denial of Service Vulnerabilities
  • Missing HSTS header
  • Missing DNSSEC
  • Missing/Loosely configured CSP headers (They are as strict as possible)
  • Attacks requiring DNS takeover

Whatever you do, please avoid the following actions:

  1. Spreading or distributing malware. 
  2. Copying, changing or deleting data in the system (an alternative would be making a directory listing of the system).
  3. Changing the system.
  4. Repeatedly acquiring access to the system or sharing the access with others. 
  5. Making use of “bruteforcing” the access to the system.
  6. Making use of a denial-of-service or social engineering.

What you can expect: 

  • When a shortcoming in werkenbijdefensie.nl is reported accordingly to the above stated terms and conditions, the Dutch Ministry of Defense will not articulate any legal consequences to the notification. 
  • The Dutch Ministry of Defense will process the report confidentially and no personal details without permission will be shared with third parties, unless this is a legal requirement. 
  • After consultation, the Dutch Ministry of Defense can acknowledge you by publishing your name as the one who identified this particular safety issue.  
  • Within one working day, the system operator of werkenbijdefensie.nl will send you a confirmation of receipt.
  • Within three working days, the system operator of werkenbijdefensie.nl will send you an evaluation of the safety issue. This will include an estimation of the time that it will take to solve the problem. 
  • The system operator of werkenbijdefensie.nl will keep you updated on the progress of solving the safety issue. 
  • The system operator of werkenbijdefensie.nl will try to resolve the safety issue as soon as possible, within a maximum time period of 60 days.
  • To thank you, a reward will be offered by the Dutch Ministry of Defense. This reward will vary depending on the seriousness of the issue, the quality of the report and whether the issue has been reported before. 

The public key for sending encrypted emails to sysop@werkenbijdefensie.nl:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFRPVqkBCADnUB9gQEsiisRy4itflJRjsEwDQ22qR4kQDB49NYA5CMfQ9KSQ
UctKAJz3WsfyrLaYE71DPyPH7k7k1LvSpG/Kbt2BxOq5efTWLq/4CkCZ64S7+58Q
CUY7iRsvCTIeCRZgIV9hmy485N71MApzE+HUBsXJA8+R5OYMlqNpnXrtfF1MhWLM
xdexLHb4ItjXKhOpYbtc4XqKq7TSk+o2CDUXN24t048tnLz797Q5K6WVcvwd91FM
+4ZU1QX3eoZN3GBiKX13maKsUCXFQCQVxWLYnTsTFLLo6xMRf8E6CvW8I656zBqG
+L4lNTYVm0U/dgtuTAif90WX98ks315yDeDrABEBAAG0N1N5c29wIHdlcmtlbmJp
amRlZmVuc2llLm5sIDxzeXNvcEB3ZXJrZW5iaWpkZWZlbnNpZS5ubD6JAVQEEwEK
AD4CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AWIQRXVQzoHjHk8OI1oCmAMezv
VNjGtwUCXiHW7QUJEziBxAAKCRCAMezvVNjGt+W7B/49WqyhwDwWiugCW4C+1CGL
sXwZCwyQn5/Yg/cB2HlhHWTLPoMLxxOPNoK2T8zOfDy7NovfxShoEmfHmqjgwkUT
2aMfHmfhWoz86hNzDx+h5ZnL6j7AIAmq1UnIhTRSHqEU/WwmVyyuju9adxB/8KkH
pzulUfzFbUjv1Kgw6boLFfAvELc2QTxB1VzMRYem6HKh24jk5JTxdaMEDdGL4CHn
zof6pVLeGYz4ew0qju04w9Nqw5Wq51oZOWb6a6LNl9KgAZtCHgBpxtLh1SLda5mY
LerkuRUaIGcTyBK2/hozVWYduZjx4nXbtNy/0B42LCqp4dz6PcTIUfxW1Jh5hjvv
uQENBFRPVqkBCADApmOB+kTfbCxrMHyKQKo2lgZ+d6CFHlrRjHzL+AWgYNd8JIt7
wYnyEr8ZwcIC7hoaEDPulHiQntxPa2yKcRLKe+QfvfqNWsBE9F6LXeezv8hilcGw
5mQy85TeFkthq9vS/NTooEvC/vEBNR2FLHL/RkWOaT+sNrUDtEjm5P9Pmh9vySfn
iNvfjAlyPkR1OBaeMGkIOjscoBdUPGhvuiA89Zdc8pZ6sW6kG+owTR1MDFbAiER1
/Q1sYUZ8V/MZMFVAZasgEnmprunH+3Uix6Fef2Cyvw6GO1nsFnvVXZ99KMZ6o95t
nO40GzsgUh9ccGDE7JXzvKX3od06UKmq19iFABEBAAGJATwEGAEKACYCGwwWIQRX
VQzoHjHk8OI1oCmAMezvVNjGtwUCXiHW8QUJEziByAAKCRCAMezvVNjGtwI5CACI
gH0YjUa8b4AZCMH+lEvc0r5qdCNeKfcZUr/sr+piUyhnugXptZ7WftxQu/bh8/Ku
cmYYJsODiKR7IFmuCsiVhqlLgdtS1uwIxrm9++AndyzuSj+Jm6xIQibvlibZUaFG
B9bIdUBaeG7sXOpCiLumUqHlZwYOF/opz6v8+0go7+lLgHRrv5hvAvFPyjL2tVCv
eh1BjwBTjEW4WYbO0TMatLzlA9AZ3/LFnsPfOOrx+cDx5KoU7ce1En4tTYXdFOk1
tMzC/56icExOhDNvi8yTK/Wk6PzcnMjRo3+fyA+XUDY/cZgxkwwVZpNLzzykozAY
l5NhyrccTQ7IwRtPKZmZ
=eBve
-----END PGP PUBLIC KEY BLOCK-----