Responsible disclosure | WHO Collaborating Centre voor de Familie van Internationale Classificaties (FIC) in Nederland

How can I report a weak spot in an ICT system of the RIVM / Rijksinstituut voor Volksgezondheid en Milieu (Responsible Disclosure)?

A weak spot in an ICT system of the RIVM can be reported to the National Cyber Security Center (NCSC). You can report this via the e-mail address cert@ncsc.nl. Report the vulnerability before making this known to the outside world. For example, the RIVM can take measures first. This is called Responsible Disclosure.

What to think about with Responsible Disclosure
If you report a vulnerability in our ICT system, consider the following:

Provide sufficient information to reproduce the problem. This way we can solve the problem as quickly as possible. Usually the IP address or the URL (link) of the affected system and a description of the vulnerability are sufficient. More information may be required for more complex vulnerabilities.
Leave your contact details (e-mail address and / or telephone number) so that we can contact you.
Make the report as soon as possible after discovering the vulnerability.
Do not share the information about the security problem with others until it is resolved.
Be responsible with the knowledge about the security problem. Do not perform any actions beyond what is necessary to demonstrate the security problem.
Do you meet these conditions with your notification? Then we do not commit legal consequences to your report.

Do not abuse a weak spot in our ICT system
If you discover a vulnerability, do not take advantage of this. For example by:

-placing malware;
-copy, modify or delete data in a system (an alternative for this is to create a directory listing of a system);
-make changes to the system;
-repeatedly gaining access to the system or sharing access with others;
-to make use of the so-called 'bruteeforcen' of access to systems;
-to use denial-of-service or social engineering.

What we do when Responsible Disclosure comes to our attention
Have you reported a weak spot in our ICT system? With your report, we can prevent important information falling into the wrong hands or being used for false or punishable acts.

We treat your report confidentially. We do not share personal information with third parties without your permission. Unless this is required by law or by a court order. The national government can, if you wish, mention your name as the discoverer of the reported vulnerability. We will keep you informed about the processing of your report.

Guideline for Responsible Disclosure
In drafting this Responsible Disclosure, we used the Guidelines for Responsible Disclosure External link of the National Government. This also includes some reporters can do when they discover a vulnerability.