Coordinated Vulnerability Disclosure

At HollandZorg, we take all matters of security seriously in order to ensure trust in its services and the processing of personal and confidential information.

Unfortunately, security incidents occur in the current digital world. If you have discovered a vulnerability in one of our systems, please inform us so that we can take measures as soon as possible. We would like to cooperate with you in order to better protect our policyholders and customers and our systems.

A vulnerability is a weakness in software, hardware, or security procedures that could potentially result in unauthorized access, exploitation, loss, or alteration of information.

 

What we ask of you:

  • Please send your findings as soon as possible to security@salland.nl. If possible, encrypt your findings with our PGP key (keyID:... fingerprint:...) to prevent the information from falling into the wrong hands.
  • Share the report with us in a confidential manner to prevent others from accessing this information.
  • Do not abuse the vulnerability by changing, deleting, copying, or making the entire service unavailable. However, a "directory listing" of a system is allowed.
  • Do not abuse the vulnerability more than necessary.
  • Do not share the problem with others until it has been solved.
  • Do not place your own 'back door' in an information system to demonstrate the vulnerability. This can cause additional damage and pose unnecessary security risks.
  • Remove all confidential information obtained through the leak immediately after a solution has been applied.
  • Do not use attacks (brute force) on physical security, social engineering, distributed denial of service (DDOS), spam, or vendor applications.
  • Provide enough information to reproduce the problem so that we can solve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability are sufficient, but more information may be required for more complex vulnerabilities.

What you can expect from us:

  • We will aim to respond to your report within 3 days, including the expected resolution time frame. Of course, we will keep you updated on the progress of resolving the issue.
  • We will handle your report confidentially and will not share your personal information with third parties without your consent, unless required by law. Reporting under an anonymous name is possible.
  • We consider it important to give you the credit that is due to you. We will only mention your name in a publication about the vulnerability if you agree to it.
  • As a token of appreciation for your help in better protecting our systems, we would like to reward you for reporting a vulnerability that was unknown to us so far. The reward depends on the severity of the vulnerability and the quality of the report.
  • We determine independently whether a reward will be granted, provided that a legitimate report has been made with a new and substantial character within the above conditions.

We are grateful if you take the time to report a security issue to us and we look forward to working together. However, if you do not comply with the above conditions, we may take legal action. If you wish, we will go public with news about the reported problem with your name as the discoverer.