Coordinated Vulnerability Disclosure (CVD)

CBS is continuously working on the security of its ICT systems. Nevertheless, it may happen that there is a weakness in one of our systems or websites. If you should discover such a vulnerability, we would very much appreciate your reporting it to us by sending an email to: cert@cbs.nl.

By reporting the vulnerability before you make it known to the outside world, you enable CBS to take measures first. This is called Coordinated Vulnerability Disclosure (formerly Responsible Disclosure). CBS follows the Dutch central government’s policy in this respect.

How to report a vulnerability

If you report a vulnerability in an ICT system, please consider the following:

  • Include sufficient information in your report to reproduce the issue, which helps CBS to resolve the issue quickly. It is usually sufficient to state the IP address or URL of the system affected and a description of the vulnerability. Further details may be required for more complex vulnerabilities.
  • Provide your contact details (email address or telephone number) so CBS can contact you.
  • Submit your report as quickly as possible after discovering the vulnerability.
  • Do not share information about the security issue with others until it has been resolved.
  • Handle knowledge about the security issue responsibly by not taking any action other than what is necessary to demonstrate the security issue.

Do not take advantage of a vulnerability in an ICT system

If you discover a vulnerability, do not abuse it. For example, by:

  • installing malware;
  • copying, changing or deleting data in a system (an alternative is creating a directory listing of a system);
  • making changes to the system;
  • repeatedly gaining access to the system or sharing access with others;
  • using brute-force attacks to gain access to a system;
  • using Denial of Service or social engineering.

How does CBS handle your report?

CBS handles your report as follows:

  • CBS will send you an acknowledgement of receipt within one working day.
  • CBS will respond to your report within three working days. The response will include an assessment of the report and a date by which the issue is expected to be resolved.
  • CBS will keep you, the reporting party, informed about the progress in the resolving of the issue.
  • CBS will try to resolve the security issue as soon as possible, but at the very latest within 60 days. Together with you, CBS will decide whether and when to release details, if any, of the issue you reported. Such details are only published once the issue has been resolved.

CBS will handle your report confidentially and will not share personal details with third parties without your consent, unless obliged to do so pursuant to a statutory provision or court ruling. If you wish, CBS will mention your name as the person who discovered the reported vulnerability.