If you identify a security problem in one of our ICT systems or websites please notify us without delay on email@example.com before disclosing the security problem to the outside world, enabling us to take prompt measures. This is known as responsible disclosure.
How to notify us
If you have identified a security problem in one of our ICT systems or websites, please proceed as follows:
- Send us your notification without delay on firstname.lastname@example.org. Please use our PGP key to prevent unauthorised users from accessing the information. See our contact and directions page for more information.
- Do not share any information about the identified security problem with third parties until it has been resolved.
- Please give us a clear description of how and when the problem occurs. Describe how the problem can be reproduced and provide us with information on the method that was used and the time of discovery.
- Act responsibly in dealing with your knowledge of the security problem. Do not take any any actions that go beyond what is needed to demonstrate the problem. Do not use the security problem to your own advantage and do not store any confidential data obtained as a result of the problem.
- State your contact details (email address or telephone number) so that we can keep you updated on the status of the problem.
- Scope is dnb.nl.
If your notification meets these requirements, there will not be any legal consequences.
How will we treat your Responsible Disclosure notification?
If you notify us of a security problem in an ICT system or website, we will treat your notification as follows.
- Our Information Desk will confirm receipt within two business days.
- We will send you our response within three days of the confirmation of receipt, setting out our assessment of the issue and the expected resolution date. We will provide you with progress reports.
- We will always treat your notification confidentially and will never share your personal data with third parties, except when obliged to do so by law or pursuant to a court ruling.
- We consult you on whether and how the issue is to be made public. We will never do so before the problem has been resolved. If we make the issue public, we will give you credit for identifying it, if you wish.
- We will reward you as a token of our gratitude. The reward will depend on the gravity and scale of the identified problem and the quality of your report.
The above procedure is based on the Coordinated Vulnerability Disclosure Guidelines (Refers to an external site) of the National Cyber Security Centre.
The following reports will not be taken into consideration :
- The policy of SPF / DKIM / DMARC.
- The opportunity to use cross-site scripting on a static website or a website that does not process any sensitive (user) data.
- The lack of HTTP security headers as used by mechanisms such as Cross-Origin Resource Sharing (CORS), unless this lack of a security header demonstrably results in a security problem.
DNB is already aware of these matters.