Sprint naar content
Rules & regulations

Coordinated Vulnerability Disclosure (CVD)

Coordinated Vulnerability Disclosure (CVD), formerly Responsible Disclosure, is the disclosure of ICT vulnerabilities in a responsible manner and in a joint (coordinated) manner between notifier and organization. How Fontys deals with CVD, what preconditions we apply and what promises we make are described below.

Fontys University of Applied Sciences considers the security and undisturbed operation of our information provision very important and therefore embraces the principle of CVD, we are open to reports of ICT vulnerabilities from outside. Despite the care and attention to the security of our information facility, a vulnerability may occur. Should you, as a well-intentioned ethical hacker, have discovered one then our request is to report it.

What Fontys expects of you:

  • First carefully read this CVD policy and follow the guidelines carefully ! Please note: failure to comply may result in criminal prosecution by Fontys or the Public Prosecution Service, see relevant paragraph further on.
  • Report your finding(s) about the vulnerability found in our systems as quickly as possible via the Vulnerability Report Form in order to give Fontys the opportunity to remedy the vulnerability and thereby prevent information falling into the wrong hands.
  • The reporter may not make making a report or further provision of information dependent on any reward.
  • Act proportionately so do not collect, view, investigate more than is necessary to reveal the vulnerability.
  • Follow the subsidiarity requirement: limit yourself to the basic ways/methods to demonstrate the leak instead of far-reaching (and potentially damaging) research, such as permanent active scans. The Fontys CVD policy is not a call for extensive or permanent active scanning of our network, infrastructure, systems or applications in search of weak spots and vulnerabilities. Fontys itself monitors its own company network. There is a good chance that we will detect your scan, after which our Security Operation Center will carry out an investigation, possibly leading to unnecessary costs.
  • Prevent abuse of the vulnerability found by (some examples, not exhaustive):
  • - downloading or accessing unnecessarily long or more data than necessary
  • - altering, deleting, moving, copying or other processing of data
  • - gaining their own advantage or gain, or harming others, and/or putting Fontys under pressure.
  • Be extra cautious with personal data. Prevent and avoid inspection, copying, forwarding or any other processing with these. Do not include found personal data in the report.
  • Do not share the vulnerability with others until it is resolved.
  • Do not make use of attacks on physical security or third-party applications, social engineering, (distributed) denial-of-service (DDOS), malware, spam or other techniques that (may) damage access to our data or operation of our environment.
  • Provide sufficient proof information via the online report form (in text-field or possibly in an enclosed attachment) with which Fontys itself can reproduce the vulnerability, so that we can resolve it as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability and the actions taken to make it visible are sufficient. For more complex vulnerabilities more explanation may be needed, in that case use a separate file to put this information together and upload it as a .pdf attachment in the online report form.

What can you (notifier) expect from Fontys?

  • In principle, we will not press charges or take any other legal steps if an investigation and report have been made within the set conditions.
  • We will respond to you (notifier) within 5 working days with our assessment of the submitted report and an expected date for a solution (target term: 60 days).
  • We will treat your report confidentially and will not share your personal information with third parties without your permission, unless this is necessary to comply with a legal obligation.
  • We will keep you informed about the progress of the vulnerability resolution.
  • As a thank you for your help, we offer appreciation by including you in our Wall-of-Fame.
  • If you indicate this we will place your name, date of reporting, and if desired a link to your personal page on our Wall-of-Fame. In messages about the reported vulnerability we will, if you wish, mention your name as the discoverer of the vulnerability. In occasional cases, we will determine whether a reward is possible based on the severity of the leak and the quality of the report.
  • You can report anonymously or under a pseudonym. However, we will then not be able to contact you about, for example, the next steps, progress in plugging the leak, publication or any reward/appreciation for the report.
  • We strive to resolve all issues arising from the vulnerability as quickly as possible and will -if relevant- keep all parties involved informed. The resolution time strongly depends on the nature of the vulnerability and type of system (guideline: 60 days for software, 6 months for hardware).
  • Depending on whether a vulnerability is not or very difficult to resolve, or whether disproportionately high costs are involved in resolving it, Fontys may, in consultation with the notifier, consider a vulnerability to be an accepted risk and not to be resolved.
  • We will make clear agreements with the notifier in a coordinated manner regarding possible disclosure of the vulnerability after it has been resolved.

Criminal prosecution / Public Prosecution

It is possible that during your research you may carry out actions that are punishable under criminal law. If you comply with the above conditions, Fontys will not take any legal action against you.

The Public Prosecutor's Office (OM) expects ethical hackers to have familiarized themselves with an organization's CVD policy or to have consulted the National Cyber Security Center's 'Guideline on Coordinated Vulnerability Disclosure' before starting to search for and report vulnerabilities.

The prosecutor uses the following criteria to determine whether CVD / ethical hacking has occurred:

  • Was action taken in the context of a substantial public interest?
  • Was the action proportionate? (did the hacker not go beyond what was necessary to achieve his goal)
  • Has the subsidiarity requirement been met (was there no less far-reaching way to achieve the goal intended by the hacker)?

It is up to the prosecution to decide whether to criminally prosecute an (ethical) hacker. If an ethical hacker finds a vulnerability in an organization's ICT system and reports it to the organization in question, in principle no criminal investigation will be initiated.

Read more (dutch): https://www.om.nl/documenten/richtlijnen/2020/december/14/om-beleidsbrief-ethisch-hacken.

Report form vulnerabilities Wall of Fame

For questions or ambiguities about the Fontys CVD policy contact ISP-office@fontys.nl.

Our policy is under a Creative Commons Attribution (BY) 3.0 license.
The policy is based on Floor Terra's sample policy.