Reporting a vulnerability (CVD)

Have you discovered a flaw or weakness in a website or IT system belonging to the Municipality of The Hague? Please report it. The municipality can then investigate the problem and resolve it as quickly as possible. This will help the municipality to protect its data and systems even better. This way of working together is known as Coordinated Vulnerability Disclosure (CVD).

The municipality secures the data in its websites and IT systems with great care. Nevertheless, they may still contain weaknesses. Computer criminals can exploit these vulnerabilities. They do this by breaking into the system and modifying or stealing data for criminal activities. By reporting these weaknesses, you are helping the municipality to keep its data safe. 

Report a vulnerability

  • Report the weakness you discovered as quickly as possible using Zerocopter.

Report a vulnerability

  • Note: if you make the report anonymously, the municipality will not be able to contact you.
  • Give the municipality enough information to find and investigate (reproduce) the weakness. This will help to resolve it quickly. In most cases, the IP address or the URL of the affected system and a description of the issue is enough. If you find a vulnerability which is complex, please provide additional information.
  • Do not exploit the vulnerability. Do not view the information of others. Also do not delete or modify data. If you download data, do not download more than is strictly necessary to show the weak spot.
  • Do not share the vulnerability with other people until the municipality has resolved it.
  • Delete all confidential data you have downloaded once the municipality has resolved the vulnerability. Do not share any of this data with other people.
  • Do not use:

    • technologies which will put the municipality‚Äôs services at risk
    • attacks on physical security, such as turnstiles and locks
    • psychological manipulation (social engineering)
    • attacks which use large numbers of login attempts (brute-force attacks)
    • spam

After your report

The municipality:

  • will respond to you within 10 working days with an assessment of your report and an expected timeframe for solving the issue.
  • will inform you of the progress in resolving the vulnerability.
  • will not take any legal steps against you for reporting the issue if you have complied with the agreements above.
  • will treat your report with confidentiality. It will not share your personal details with third parties without your consent, unless it is legally required to do so. You are free to make the report using a pseudonym.
  • may offer you a reward as a token of gratitude. The municipality will decide this on a case by case basis. The size of the reward depends primarily on the seriousness of the vulnerability and the quality of your report.

The municipality strives to resolve any vulnerabilities as quickly as possible and to inform all parties involved. Please inform the municipality of any plans to publish resolved vulnerabilities.

This text is based on a text by Floor Terra. The text is available at responsibledisclosure.nl/en and shared under a Creative Commons Attribution 3.0 Unported license.

Published: 17 August 2021Modified: 15 October 2021