Spring naar content

Coordinated Vulnerability Disclosure (CVD) – EN

Introduction 

At Zorggroep Elde Maasduinen (ZGEM), we consider the security of our systems, data, and services to be of great importance.
Our vision is to make every phase of life valuable – and that also applies to how we handle digital security.

Despite our efforts to protect our systems, vulnerabilities may still exist. If you discover a security weakness, we highly appreciate it if you report it to us so that we can take appropriate and timely measures.

By submitting a report, you agree to the terms outlined in this Coordinated Vulnerability Disclosure (CVD) policy. ZGEM handles reports in cooperation with Stichting Z-CERT in accordance with these terms.
  

Reporting a Vulnerability 

You can report your findings to **Stichting Z-CERT** via email:
cvd@z-cert.nl
You can encrypt your message using Z-CERT’s PGP key: https://z-cert.nl/pgp

Please provide sufficient information to reproduce the issue. At a minimum, include:
– The IP address or URL of the affected system.
– A brief description of the vulnerability.
– Any additional information or evidence that helps reproduce the issue.

Z-CERT handles CVD reports on behalf of ZGEM and will work with you to address the issue carefully.

Certain topics are out of scope for this CVD policy. An overview of these topics is included at the end of this document.
  

Legal Framework 

Investigating vulnerabilities can, in some cases, be considered a criminal act under Dutch law (Article 138ab of the Dutch Criminal Code).
However, if you follow the rules for responsible disclosure described below, ZGEM will not file a criminal complaint or take legal action, unless legally required to do so.

Please note that the Dutch Public Prosecution Service (Openbaar Ministerie, OM) always retains the right to decide independently whether to initiate legal proceedings.

 

Rules for Responsible Disclosure 

We ask that you:
– Do not abuse or worsen the problem. Do not download, alter, or delete data that is not your own.
– Use only the minimum data necessary to demonstrate the impact, and use anonymised data wherever possible.
– Do not access special categories of personal data (such as medical data of clients or employees). If you suspect this is possible, please mention it in your report.
– Do not share your findings with others until the issue has been resolved and publication has been coordinated with us.
– Delete any confidential information obtained during your research as soon as the vulnerability has been remediated.
– Do not perform attacks on physical security, social engineering, (D)DoS, spam, brute-force attacks, or systems belonging to third parties.

You may submit a report anonymously or under a pseudonym. Please note that in such cases, we will be unable to provide feedback on progress or publication.
  

What You Can Expect from ZGEM and Z-CERT 

ZGEM and Z-CERT will:
– Treat your report confidentially and will not share your personal data with third parties without your consent, unless required by law.
– Send you an acknowledgement of receipt. Within five working days, you will receive an initial response, including an assessment and an estimated resolution timeframe.
– Keep you informed of progress until the issue is resolved.
– Strive to remediate vulnerabilities as quickly as possible.
– Coordinate with you regarding publication once the vulnerability has been resolved.

 

Acknowledgement 

Researchers who contribute to improving the security of our systems may, with their consent, be listed in the **Z-CERT Hall of Fame**:
https://z-cert.nl/kwetsbaarheid-melden/hall-of-fame

 

Contact 

For questions or additional information regarding vulnerabilities and digital security, please contact:
cybersecurity@zgem.nl

 

Out of Scope 

ZGEM maintains a clear distinction between what is within and outside the scope of the Coordinated Vulnerability Disclosure (CVD) policy.

The following vulnerabilities and risks are considered out of scope for this policy, meaning they will not be processed within the CVD framework:

– HTTP 404 codes/pages or other HTTP non-200 codes/pages, and content spoofing or text injection on these pages.
– Fingerprint version banner disclosure on commonly used or public services.
– Disclosure of known public files or directories or non-sensitive information (e.g., robots.txt).
– Clickjacking and issues only exploitable through clickjacking.
– Missing Secure/HTTPOnly flags on non-sensitive cookies.
– OPTIONS HTTP method enabled.
– Issues related solely to HTTP security headers, including:
   – Strict-Transport-Security
   – X-Frame-Options
   – X-XSS-Protection
   – X-Content-Type-Options
   – Content-Security-Policy
– SSL configuration issues, such as:
   – SSL forward secrecy not enabled.
   – Weak or insecure cipher suites.
– SPF, DKIM, or DMARC issues.
– Host header injection without demonstrable impact.
– Reporting older software versions without proof of concept or working exploit.
– Information leakage in metadata.

This list is not exhaustive but serves to clarify the most common reports that fall outside the CVD policy’s scope.