Responsible Disclosure scheme

Introduction

At the Royal Institute of Engineers (KIVI), the security of your and our data is very important to us, which is why we secure our systems. Despite our care, there may still be a weakness in this security.

English version below

Unfortunately, we have to put the responsible disclosure programme on hold for the next few months due to planned major maintenance to the website! You may still report bugs, but we will not respond or add anyone to the hall of fame for now, nor will we do so later for reports submitted after 9 June 2024. When we restart the programme, we will only accept NEW reports.

Unfortunately, we have to TOTALLY suspend our repponsible disclosure program for the next months due to planned big maintenance on our website! You can still send in vulnarabilities, but for the time beeing we will NOT GIVE A REACTION IN ANY WAY OR ADD SOMEONE TO THE HALL OF FAME and we will not do so later for send in vulnerabilities after of 9th of June 2024. when we restart the program, we will only accept NEW / then current vulnerabilities.

If you have found a vulnerability in one of our systems, please let us know so we can take action as soon as possible. We would like to work with you to better protect our users and systems.

We ask you:

  • Not to carry out attacks on physical security and people (social engineering).
  • Do not use Distributed Denial of Service (DDos) attacks or spam.
  • Report vulnerabilities once even if the same vulnerability occurs in different places in the system.
  • Email your findings to responsible-disclosure@kivi.nl. Reporting under a pseudonym is possible. If you feel the data is so sensitive that you wish to encrypt it, please report it. We will then provide you with an address to which you can send PGP-encrypted mail (See PGP public key at the bottom of the page here).
  • Provide sufficient information to reproduce the problem so that we can fix it as soon as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient; more info is needed for more complex vulnerabilities. We do ask you to clearly state the URL or, if not applicable, the IP address of the affected system in the normal text, in addition to any attached images and/or animations.
  • Delete any confidential data obtained through the leak as soon as possible after reporting your report, but always after coordinating with us to make sure we can reproduce the problem.
  • Not abuse the problem by, for example, downloading more data than necessary to demonstrate the leak, or accessing, deleting or modifying third-party data.
  • Not sharing the problem with others until it is fixed.
  • Not to publish about the solved problem yourself unless this has been agreed with us beforehand. In doing so, we ask that the solved problem, our URLs, IP addresses or contact information not be shared on any social media, forum, instant messenger or other public medium without our permission. Not even afterwards. You may of course use your entry in the Hall of Fame for job applications or for a (private) portfolio.

What at promise:

  • We consider it important that vulnerabilities are reported to us as soon as possible, so that we can take immediate action to make our environment safe again. Reports are therefore always accepted by us with thanks. We will therefore not consider legal action against reporters who have gained unauthorised access to sensitive information, provided you have complied with the above points.
  • We will treat your report confidentially and will not share your personal data with third parties without your consent unless necessary to comply with a legal obligation.
  • We will respond to your report within 5 working days with our assessment of the report and an expected date for resolution.
  • We will keep you informed of the progress of resolving the issue.
  • If you appreciate it, we will include you as a reporter in the Hall of Fame, if desired this can be done under a pseudonym.
  • Relevant content of the resolved report may be published on www.kivi.nl/cybersafety, unless there are reasons not to do so. For example, when the solution has led to (discovery of) a related vulnerability that has not yet been solved, or when publication may lead to image damage for (a part of) KIVI.
  • In reporting on the solved problem, we will, if you wish, mention your name as the discoverer and reporter.
  • If you are the first to report a vulnerability, if you live within the EU, you will receive a gift from KIVI. We never give money. Sending promotional gifts outside the EU is unfortunately not possible (barring a very special exception) because of all the arrangements we would have to make with customs to do so.

We aim to resolve all reported problems as well and as quickly as possible. Thank you!

PGP public key

-----BEGIN PGP PUBLIC KEY BLOCK-----

















mQENBFu2C2cBCADpp9Ca+RKiMFVd4VJMfsp7thAAUS7otoJDfsCsxcVMG8f+Nle9
hVBx1LhTMe7GJBg7M8kzpnfkh7YwLFAGJf3ZIrb9YNoD26c3SLq8QjqyzXqt05Ka
Ffqrf17aI93ZlnRaO5VlQmrLvLsaTXrtYh9RbojPXlwLeSVNfRos4iqbSP4mpxR5
o/fzm93u6MrssBgpADSvNSkPgT6J/l6oUIjUgjL+yMBX63zDmUG8Ju15hIYq1OtE
F8lQK5stcXw+jz/Z555uihjW0QVrb6rdcObnxU3RcnUaetBasWdigUqBKF8HLyJB
4uye2h0fyeXdSep+JGX1JlBTsql9ZqewRr81ABEBAAG0PFJlc3BvbnNpYmxlIERp
c2Nsb3N1cmUgS0lWSSA8cmVzcG9uc2libGUtZGlzY2xvc3VyZUBraXZpLm5sPokB
TgQTAQgAOBYhBDCxIPtMVKxxQFzO/ow04XCA3QSJBQJbtgtnAhsDBQsJCAcCBhUK
CQgLAgQWAgMBAh4BAheAAAoJEIw04XCA3QSJqSEH/1UpI3GyW4nPTsG/GwM551nG
eIBGABDdTehP5WDy6vQ9shOH95CyXCyr7w11wJsr4BioI9ii/7e2RKT5h05Pbcer
uaGyMBVRdkEXv1ycCDexb8wIkWrR1LXHI37wioog0lci8KJXivye9bDdfKk2KiRt
eDOQVCYz4cGZ----END PGP PUBLIC KEY BLOCK-----
Word lid