Responsible disclosure (English)

The Municipality of The Hague is committed to the security of its IT systems. Despite all the precautionary measures it takes, there may still be occasional vulnerabilities – 100% IT security does not exist in a continuously changing IT world. If you discover a weak spot in 1 of the municipality’s systems, please report it to the municipality immediately. The municipality can then rectify the situation quickly.

The municipality strives to work with you to better protect residents, companies and systems by addressing vulnerabilities. Read this page to see how you can report an issue. By submitting a report, you automatically agree to the terms on responsible disclosure below. Similarly, the municipality will handle your report according to the terms below.

Terms when reporting an issue to the municipality

The municipality requests you to:

  • Report your findings as soon as you discover a weak spot using the Zerocopter report form.
  • Use English in your report.
  • Not misuse the problem by, for example, viewing the information of others, deleting or modifying data, or downloading more data than is strictly necessary to show the weak spot.
  • Not share the problem until the municipality has fixed it. The municipality also requests you to handle any confidential information that has been obtained through the leak and to delete it as soon as the leak has been repaired.
  • Not use physical security attacks, social engineering, spam, brute force attacks or applications of third parties. The municipality also requests you not to use technologies which will affect the availability and/or usability of the system or the service.
  • Supply enough information to reproduce the problem so that the municipality can solve the problem as soon as possible. In most cases, the IP address or the URL of the affected system and a description of the issue is enough, but in more complex cases, more information may be needed.

The municipality would also like to receive any tips that could help solve the problem. In doing so, please supply only verifiable facts that are relevant to the issue you have encountered and avoid promoting particular security products.

Terms agreed to by the municipality with the person reporting an issue

The municipality promises the following:

  • It will respond to your report as quickly as possible. You will receive an automatic confirmation of your report within 1 working day, and within 3 working days an (initial) assessment of the report and when possible an expected time-frame for solving the issue.
  • If you have adhered to the agreements above, the municipality will not take any legal steps against you for reporting the issue.
  • Your report will be handled confidentially and your personal details will not be shared with third parties without your consent unless the municipality is obliged to do so in accordance with the law or a court ruling. Reports may be made using a pseudonym.
  • The security issue you report will be dealt with as quickly as possible. However, the municipality is often dependent on external parties. The municipality will keep you informed of the progress.
  • Whether the problem is published after it is solved and, if so, how will be decided in consultation. If desired, the municipality will state your name as the finder of the issue.
  • The municipality may offer a reward as a token of gratitude. Whether you receive a reward and the size of the reward depends on the severity of the leak and the quality of the report. The municipality will therefore determine these on a case by case basis.

This policy is inspired and partially taken from the example on

Published: 28 August 2019Modified: 11 February 2020