Reporting Vulnerabilities

The province of Groningen considers the security of its own information systems very important. Despite our efforts to secure them, it is possible that a vulnerability may still exist. If you have discovered a vulnerability in one of our systems, we would like to hear about it so that we can take measures as soon as possible. We would like to collaborate with you to enhance the protection of our systems.

We ask you to:

  • Email your findings to cert@provinciegroningen.nl;
  • Encrypt the findings with our PGP key if possible to prevent the information from falling into the wrong hands;
  • Provide sufficient information to reproduce the problem, such as the IP address or URL of the affected system, and a description of the vulnerability. Additional details may be required.

For more complex vulnerabilities:

  • Provide contact information so that we can collaborate with you to achieve a secure outcome (please include at least an email address or phone number);
  • Report the vulnerability promptly upon discovery;
  • Avoid sharing information about the security issue with others until it is resolved;
  • Handle knowledge of the security issue responsibly by refraining from taking actions beyond what is necessary to demonstrate the issue.

You should avoid:

  • Deploying malware;
  • Copying, modifying, or deleting data within a system (an alternative is to create a directory listing of a system);
  • Making changes to the system;
  • Repeatedly gaining access to the system or sharing access with others;
  • Utilizing brute force to access systems;
  • Using denial-of-service or social engineering.

What you can expect:

  • If you meet all the above conditions when reporting a vulnerability in an ICT system of the province of Groningen, we will not pursue any legal consequences for this report;
  • We treat reports confidentially and do not share personal data with third parties without the reporter's consent, unless required by law or by court order;
  • Upon mutual agreement, we may acknowledge you as the discoverer of the reported vulnerability;
  • We will send you a confirmation of receipt within 1 working day;
  • We will respond to a report within 3 working days, providing an assessment and an expected date for a solution;
  • We will keep you informed of the progress in resolving the issue;
  • We will address the security issue identified in a system as promptly as possible, aiming for resolution within 90 days. We can mutually decide whether and how to publish the issue after resolution.

Nederlandse Vertaling

Kwetsbaarheid melden (Nederlands)