Responsible Disclosure Policy

At the KNAW, we find the security of our systems very important. Despite our care for the security of our systems, it may happen that there is a weak spot. Please notify us immediately if you have found a weak spot in one of our systems, so that we can take measures as quickly as possible. We would like to work with you to better protect our users and our systems.

Not an invitation to active scanning

Our Responsible Disclosure Policy is not an invitation to engage in extensive active scanning of our KNAW network to discover vulnerabilities. We monitor our corporate network. There is a chance that a scan will be picked up and our CSIRT-KNAW group will have to investigate, resulting in unnecessary costs.

Criminal Law and Responsible Disclosure

There is a chance that during the course of your research, you may take actions that are punishable under criminal law. If you have complied with the conditions below, we will not take legal action against you regarding the report. The Public Prosecutor’s Office always retains the right to decide whether to prosecute you. The Public Prosecution Service has published information about this.

We ask you to do the following

• Email your findings as soon as possible to CSIRT@knaw.nl.
• Do not abuse the weakness by, for example
• – downloading more data than is necessary to prove the leak
• – changing or deleting data
• Be extra cautious with personal data.
• Do not share the vulnerability with others until it is resolved.
• Do not use attacks on physical security or third-party applications, social engineering, distributed denial-of-service, or spam.
• Provide sufficient information to reproduce the vulnerability so that we can resolve it as soon as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability and the actions performed are sufficient, but more complex vulnerabilities may require more.

What we promise

• We will respond to your report within 5 working days with our assessment of the report and an expected date for resolution,
• We will treat your report confidentially and will not share your personal data with third parties without your permission unless this is necessary to comply with a legal obligation.
• We will keep you informed of the progress in resolving the vulnerability.
• Anonymous or pseudonymous reporting is possible. Please note that this does mean we cannot contact you about the next steps, the progress of resolving the leak, publication or a possible reward for the report.
• In reporting the reported vulnerability, we will, if you wish, include your name as the discoverer of the vulnerability.
• We may give you a reward for your research. However, we are not obliged to do so. You are therefore not automatically entitled to remuneration. The form of this reward is not fixed in advance and will be determined by us on a case-by-case basis. Whether we offer a reward and the form of the reward depend on the diligence of your investigation, the quality of the report and the seriousness of the leak.
• We strive to resolve all issues as quickly as possible and to keep all parties involved informed. We are happy to be involved in any publication about the vulnerability after it has been resolved.

Exceptions

The KNAW network also provides Internet access for researchers, international partnerships and affiliated parties that maintain their own websites and systems. Reports for such systems and sites are accepted and forwarded to the responsible organisations. What these organisations do with it is beyond the KNAW’s sight and scope.

The KNAW does not respond to reports about trivial vulnerabilities or bugs that cannot be exploited. Below are examples of known vulnerabilities and accepted risks (not exhaustive) that fall outside the scope of the above arrangement:

• HTTP 404 codes/pages or other HTTP non-200 codes/pages and content spoofing/text injecting on these pages fingerprinting/version marking on public services lack of best practice or output automated scanning tools without proof of exploitability;
• output automated scans from tools. Examples: Web, SSL / TLS scan, Nmap scan results, etc.
• public files or directories with insensitive information (e.g. robots.txt)
• clickjacking and problems that can only be exploited via clickjacking
• no secure/HTTP-only flags on insensitive cookies
  • OPTIONS HTTP method enabled
  • Anything related to HTTP security headers, for example:
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content Security Policy
• SSL configuration issues
  • SSL Forward secrecy disabled
  • Weak/unsafe cipher suites
• issues with SPF, DKIM or DMARC
• host header injection
• reports of outdated versions of any software without a proof of concept of a working exploit
• information exposure in metadata

Our policy is covered by a Creative Commons Attribution 3.0 licence. The policy is based on the example policy of Floor Terra (responsibledisclosure.nl), the SURF Model Responsible Disclosure and on examples from the university world (University of Twente, Free University, Fontys).