Coordinated Vulnerability Disclosure (formerly Responsible Disclosure)

We consider the security of the computer systems of the Municipality of Gorinchem important. Despite our care for the security of those systems, it may happen that there is a weakness. If you have found a weakness in our systems, we would like to hear from you immediately so that we can take measures as quickly as possible.

As a visitor, you can discover weaknesses in two ways:

You happen to run into something during normal use of a digital environment (for example, our website).
You try very hard to find a weakness.

If you want to report a vulnerability on our website, you can do so in the manner described below, using the so-called "Coordinated Vulnerability Disclosure (CVD)". There are also a few rules for you as reporter. The most important are: do not abuse the vulnerability and do not publicize it.

We ask you to:

Report the problem as soon as possible after discovering the vulnerability to our e-mail address: CVD@gorinchem.nl and include "CVD" or "Responsible Disclosure" in the subject line.
Provide sufficient information to reproduce the problem so that we can also find and then fix it as soon as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be needed for more difficult vulnerabilities. Then we will send you a link that allows you to securely email the information.
Leaving your contact information so we can get in touch with you to work together to secure the outcome.
Instead of reporting a vulnerability directly to the Municipality of Gorinchem, you can also report it to the Information Security Service (IBD). The IBD will contact the Municipality of Gorinchem and, where applicable, other parties involved in resolving the vulnerability.
When you make a report, you agree to the agreements about Coordinated Vulnerability Disclosure. The Municipality of Gorinchem will handle your report according to these agreements.

What you may not do

You are not allowed to abuse the vulnerability in any way. For the record: The following actions are not allowed anyway:

Posting malicious computer programs.
So-called "bruteforcing" access to systems.
Cracking passwords.
Using technical devices that reduce the availability and/or usability of the system or services (DoS attacks).
Attempting to discover confidential or secret information through municipal employees.
Making information about the security problem public or giving it to other organizations or individuals before it is resolved.
Misusing the vulnerability in any (other) way.

What you can expect from us

We treat a report confidentially and do not share personal information with other organizations or individuals without your permission, except where we are required to do so by law or court order.
We always share the received report with the Information Security Service for Municipalities (IBD). In this way we ensure that municipalities share their experiences in this area. In consultation, if you wish, we can mention your name as the discoverer of the reported vulnerability. In all other cases, you remain unknown.
We will send you a confirmation of receipt within 3 business days.
We respond to a report within 5 business days with an (initial) assessment of the report and possibly an expected date for resolution.
We resolve the security problem you reported as quickly as possible. We try to keep you well informed of the progress and never take longer than 90 days to solve the problem. However, we are often dependent on suppliers.
If it appears that you have not complied with any of the above conditions, we may still decide to take legal action against you.
If you meet all of the above conditions, we will not press charges against you or bring a case against you.

We may consult with each other about whether and how the problem may be disclosed after it is resolved.