Responsible disclosure (English)

• Please send us your report. Do not forget to mention your contact details (email address and / or telephone number) and mention that it concerns a vulnerability at the municipality of Hardenberg.
• Do not abuse the problem by, for example, downloading more data than is necessary to demonstrate the leak of third party data, view, delete or modify it.
• Clear all confidential data obtained through the breach immediately upon reporting the breach.
• Do not use attacks on physical security, social engineering, spam, brute force or third party applications. The municipality also asks you not to use techniques that reduce the availability and / or usability of the service system.
• Do not post, send, upload, link to, send or store malicious software.
• Do not test what would result in sending spam or other unsolicited messages.
• Do not perform automatic scans without first talking to us.
• Do not test in a way that would compromise the operation of the solutions we use.
• Do not make a vulnerability public within 30 days of the vulnerability being resolved by us and not without our explicit written permission. Don't include sensitive data in the revealed vulnerability.
• Provide us with sufficient information to reproduce the problem so that we can resolve it as soon as possible. Usually, the IP address of the affected system URL and a description of the vulnerability with an error message is sufficient, but more complex vulnerabilities may require more.

• We will respond to your report within 5 business days with our assessment of the report.
• If you have complied with the aforementioned terms and conditions, the municipality will not take legal action against you regarding the notification.
• Your report will be treated confidentially and your personal data will not be shared with third parties without your permission, unless the municipality is obliged to do so by law or court order. Reporting under a pseudonym is possible.
• The security vulnerability you reported will be resolved as soon as possible. In this, the municipality is often co-dependent on external parties. The municipality will keep you informed of the progress.
• Whether and how the problem is published after it has been solved is determined in mutual consultation and in consultation with the Municipal Information Security Service. If you wish, the municipality will state your name as discoverer of the vulnerability found in the 'Wall of Fame' on its own website.
• We can offer you a reward as a thanks you for your help. Whether you receive a reward and the size or form of the reward depends on the severity of the vulnerability and the quality of the report. The municipality therefore evaluates each valid report.

By submitting a report to the municipality of Hardenberg, you acknowledge that you have read and agree to the above conditions. You also warrant that you are the finder of the submission, and you hereby grant us permission to use, reproduce, copy, modify and otherwise delete your submission in any manner that we deem necessary.

You agree that you will not use this disclosure for marketing or financing purposes, as a reference in any personal or professional presentation or in documentation or other material;

In addition, you will not use the the name or the logo of the municipality of Hardenberg in any way of online or physical communication, regarding this vulnerability under Responsible Disclosure.

This contents of this policy is partly inspired by and partly taken from the example on responsibledisclosure.nl.

Vulnerabilities, within scope of this Respobsible Disclosure policy are, but not limited to:

• Injection vulnerabilities
• Broken Authentication and Session Management
• Cross Site Scripting (XSS)
• Remote Code Execution
• Insecure Direct Object Reference
• Sensitive Data Exposure
• Security Misconfiguration
• Missing Function Level Access Control
• Using Components with Known Vulnerabilities
• Unvalidated Redirects and Forwards
• Directory/Path transversal
• Exposed credentials

Vulnerabilities, out-of-scope of this Respobsible Disclosure policy are, but not limited to:

• Account enumeration using brute-force attacks
• Cross-Site Request Forgery
• Weak password policies and password complexity requirements
• Missing http security headers which do not lead to a vulnerability
• Clickjacking on static websites
• Reports from automated tools or scans
• Vulnerabilities affecting users of outdated browsers
• Presence of autocomplete attribute on web forms
• Missing cookie flags on non-sensitive cookies
• Reports of SSL issues, best practices or insecure ciphers
• Incomplete or missing SPF/DMARC/DKIM records
• Self-exploitation attacks
• Social Engineering attacks
• Test versions of applications
• Mail configuration issues including SPF, DKIM, DMARC settings
• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or bruteforce issues on non-authentication endpoints
• Missing best practices in Content Security Policy.
• Missing HttpOnly or Secure flags on cookies
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Tabnabbing
• Open redirect - unless an additional security impact can be demonstrated
• Issues that require unlikely user interaction