Coordinated Vulnerability Disclosure

At Z-CERT we find the safety of our own systems very important. Despite our concern for the security of our systems, it is possible that there is a weak spot.If you have found a weak spot in one of our systems or a system of a Z-CERT member organisation for whom we handle their Coordinated Vulnerability Disclosures (CVD’s), we would like to hear from you. This way, we can take measures as soon as possible. We would like to work with you to better protect these organisations and our systems.

If you comply with our Coordinated Vulnerability Disclosure policy we have no reason to take legal action against you.

• Make sure that your findings are in scope. Further on this page you can check what is considered to be out-of-scope.
• Use this link to send your findings securely to us. Or fill out every aspect of this mail template, encrypt it with our PGP-key and send it to us.
• Provide adequate information to allow us to investigate and reproduce the vulnerability. This helps to resolve the problem as quickly as possible. An IP address or URL of the affected system with a description of the vulnerability will usually be sufficient, although more information might be necessary for more complex vulnerabilities. You may add a proof of concept.
• Do not exploit vulnerabilities, e.g. by downloading more data than is needed to demonstrate the vulnerability, looking into third-party data, deleting or modifying data.
• If you suspect to have access to medical data, we ask you to let us verify this.
• Do not share information on vulnerabilities until they have been resolved and erase any obtained data as soon as the problem is solved.
• Do not attack (physical) security using social engineering, distributed denial of service, spam, brute force attacks, third-party applications for instance, or other types of attacks.

• Z-CERT will treat your report confidentially and will not share your personal data unless required by law.
• Z-CERT will send you a confirmation of receipt and will respond within five working days with an evaluation of your report and an expected
  resolution date.
• Z-CERT will keep you informed of the progress in resolving the problem.
• In communication about the reported problem we will mention your name as the discoverer of the problem (unless you desire otherwise).
• If your report overlaps with a report on the same issue by another individual. In this case we will only accept the first report received by us.
  
• If your report is in scope, a thank you reward is offered, which can vary depending on the severity of the vulnerability and the quality of the report.
  
  We strive to resolve any vulnerability as soon as possible. Once the problem has been resolved we will decide in consultation whether and how details will be published.
  
  With thanks to Floor Terra for his sample text in Dutch on responsibledisclosure.nl.
  Last update: April 8, 2025

1. HTTP 404 codes/pages or other HTTP non-200 codes/pages and content spoofing/text injections in these pages.
2. Fingerprinting/version disclosures op public services.
3. Public files or directories that do not contain confidential information.
4. All disclosures of confidential/sensitive information will be judged by Z-CERT or the healthcare organization involved, and might be labeled “out of scope” if they do not pose a significant risk.
5. Click jacking, problems that can only be exploited by clickjacking.
6. No secure/HTTP-only flags on unconfidential cookies.
   
7. OPTIONS HTTP method enabled.
8. Rate-limiting without clear impact.
9. All issues related to HTTP security headers, for example:
   a. X-Frame-Options
   b. X-XSS-Protection
   c. X-Content-Type-Options
   d. Content-Security-Policy
   e. Strict-Transport-Security
10. SSL security configuration issues
    a. for example: SSL Forward secrecy disabled
11. No TXT record for DMARC or a missing CAA-record
12. Host header injection
13. Reports of outdated versions of any software without a proof of concept of a working exploit.
14. Absence of security best practices or hardening measures. Though important, they are not within scope of a CVD process.
    a. Example:xmlrpc.php/wp-json of a wordpress website
    b. Absence of rate limiting measures
15. Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
    
16. Social engineering of healthcare organisation staff or contractors. For example creating phishing pages.
17. Issues that result in Denial of Service (DoS) to organisations servers at the network or application layer.
18. Issues that require unlikely user interaction.
19. Cross-site Request Forgery with minimal security impact.
20. Issues related to software or protocols not under the organizations control. For example known issues with ARP or HL7.