Report a vulnerability
We make every effort to keep our ICT systems secure. In spite of these efforts, you may still identify a vulnerability. If you do, it is important that you report it to us. We can then take the appropriate measures as quickly as possible. We will be happy to work with you to keep our systems secure.
Please follow the procedure below
- Please inform us of the vulnerability you have identified as quickly as possible using the email address firstname.lastname@example.org (only use this address for this kind of communication).
- Please provide sufficient information so we can fix the vulnerability as quickly as possible. Usually, the IP address or URL of the system concerned and a description of the vulnerability are sufficient. More information may be needed for more complex vulnerabilities.
- Please also provide your email address or telephone number so we can contact you quickly if we have any questions about the vulnerability.
- Never share the information about the security issue with others until it has been resolved.
- It is important to deal with your knowledge of the security issue responsibly. Please therefore do not take any action beyond what is necessary to bring the issue to our attention.
- Be aware that any information obtained from the CAK’s systems is subject to the General Data Protection Regulation (GDPR). Passing on that information is a punishable act.
- Never install malware.
- Never copy, modify or delete data or system configurations. Please create a directory listing or screenshot instead.
- Never use ‘brute-force’ methods to gain access to systems.
- Never carry out denial-of-service attacks or social engineering.
What can you expect from us?
If your report satisfies the above conditions, the information you provide will have no legal consequences. We will handle your report strictly confidentially. We will also refrain from sharing any personal data with third parties unless you have given your consent. We will only deviate from the above if we are required to do so by law or by a court judgment.
- We will send you confirmation of receipt within one working day.
- We will respond to your report within five working days. In that response we will present our assessment of your report and indicate the date by which we expect to have resolved the issue.
- We will keep you up to date with the progress made.
- We will resolve the security issue you have identified in a system within a reasonable period of time. In consultation with you we will decide whether we need to communicate externally about the issue and, if so, how.
- If you wish, in consultation with you, we can include your name in our Hall of Fame as the person who identified a reported vulnerability.
This text has been drawn up as an addition to the guidelines of the National Cyber Security Centre.