calendar tag arrow download print

Responsible Disclosure

Below you will find the Responsible Disclosure policy of the KNAW, to which the Rathenau Institute is also committed.

At the Academy, we consider the security of our IT systems to be very important. Despite our care for the security of our systems, a weakness may nevertheless exist. If you find a weakness in one of our systems, please report it to us immediately so that we can take action as quickly as possible. We would like to cooperate with you to protect our users and our systems more effectively.

Not an invitation to active scanning

Our responsible disclosure policy is not an invitation to actively scan our Academy network for weaknesses. We monitor our company network. There is a risk that a scan will be picked up and our CSIRT-KNAW group will have to carry out an investigation resulting in unnecessary costs.

Criminal law and responsible disclosure

There is a likelihood that during your investigation, you may perform acts that are punishable under criminal law. If you have complied with the conditions below, we will not take any legal action against you regarding the report. The Public Prosecutor's Office always retains the right to decide whether to prosecute you. The Public Prosecutor's Office has published information about this: https://www.om.nl/onderwerpen/cybercrime/hack_right/zelf-fouten-in-ict-systemen-zoeken.

We ask you to do the following

  • Please e-mail your findings as soon as possible to CSIRT@knaw.nl.
  • Do not exploit the weakness by, for example:
    - downloading more data than necessary to demonstrate the leak
    - changing or deleting data
  • Be extra cautious in the case of personal data.
  • Do not share the weakness with others until it is resolved.
  • Do not use attacks on physical security or third-party applications, social engineering, distributed denial-of-service, or spam.
  • Please provide sufficient information to reproduce the weakness so that we can solve the issue as soon as possible. In most cases, the IP address or the URL of the affected system and a description of the vulnerability and the actions performed are sufficient, but for more complex vulnerabilities more may be needed.

What we promise

  • We will respond to your report within five (5) working days with our assessment of the report and an expected date for resolution.
  • We will treat your report as confidential and will not share your personal data with third parties without your consent unless this is necessary to comply with a legal obligation.
  • We will keep you informed of the progress in resolving the weakness.
  • Anonymous or pseudonymous reporting is possible. You should be aware that this does mean we cannot contact you about, for example, the next steps, the progress of resolving the leak, publication or any reward for the report.
  • In reports relating to the weakness, we will, if you wish, include your name as the person who discovered it.
  • We can reward you for your investigation. However, we are not obliged to do so. Therefore, you are not automatically entitled to a payment. The form of this reward is not fixed in advance and will be determined by us on a case-by-case basis. Whether we give a reward and the form of the reward depend on the diligence of your investigation, the quality of the report and the seriousness of the leak.
  • We strive to solve all problems as quickly as possible and keep all parties involved informed. We would like to be involved in any publication about the weakness after it has been resolved.

Exceptions

The Academy network also provides Internet access for researchers, international collaborative ventures and affiliates who maintain their own websites and systems. Reports for such systems and sites are accepted and forwarded to the responsible organisations. What these organisations do with such reports is beyond the Academy's field of vision and scope. 

The Academy does not respond to reports of trivial vulnerabilities or bugs that cannot be misused. Examples of known vulnerabilities and accepted risks (not exhaustive), which are not covered by the above scheme, are given below:

  • HTTP 404 codes/pages or other HTTP non-200 codes/pages and content spoofing/text injecting on these pages
  • fingerprinting/version labelling on public services
  • missing best practices or output from automated scanning tools without proof of exploitability
  • output automated scans from tools. Examples: Web-, SSL / TLS-scan, Nmap-scan results, etc.
  • public files or directories containing insensitive information (e.g. robots.txt)
  • clickjacking and problems that can only be exploited via clickjacking
  • no secure/HTTP-only flags on insensitive cookies
    - OPTIONS HTTP method enabled
    - Anything related to HTTP security headers, for example:
    - Strict-Transport-Security
    - X-Frame-Options
    - X-XSS-Protection
    - X-Content-Type-Options
    - Content-Security-Policy
  • Issues with SSL configuration
    - SSL Forward secrecy disabled
    - weak/unsafe cipher suites
  • issues with SPF, DKIM or DMARC
  • host header injection
  • reports of obsolete versions of any software without a proof of concept of a working exploit
  • information exposure in metadata 

Our policy is subject to a Creative Commons Attribution 3.0 licence. The policy is based on the example policy of Floor Terra (responsibledisclosure.nl), the SURF Model Responsible Disclosure and on examples from the university world (University of Twente, VU Amsterdam, Fontys).

The most recent version of this disclosure can be found at the website of the KNAW