At Erasmus University Rotterdam we work hard to maintain and improve the security of our systems; nevertheless vulnerabilities may occur in our systems. Our Responsible Disclosure policy requests anyone discovering a vulnerability to inform us before he or she makes it know to the outside world, so we are able to take timely action.
Attention: this Responsible Disclosure policy is not an invitation to scan our network for vulnerabilities. We monitor our network continuously ourselves; Thus, a vulnerability scan is likely to be noticed, investigated upon by the CERT and unnecessary expenses will occur.
How can we work together to secure systems?
We ask you:
- send your findings to the email address cert@eur.nl as soon as possible; preferably encrypted with our EUR PGP-key; or use the web-form to prevent your findings falling in the wrong hands. See the vulnerability reporting form.
- do not exploit vulnerabilities, e.g. by downloading more data than is needed to demonstrate the vulnerability, looking into third-party data, deleting or modifying data. Be extra cautious when personal data is involved.
- do not share information on vulnerabilities until they have been resolved and erase any data obtained through vulnerabilities as soon as possible;
- do not attack physical security or third-party applications, use social engineering, brute-force password attacks, spam or orchestrate (distributed) denial of service attacks;
- provide sufficient information to allow us to reproduce the vulnerability and provide a quick resolution
an IP address or URL of the affected system with a description of the vulnerability will usually be sufficient, but complex vulnerabilities may need additional information.
We promise:
- if you comply with the above requests we will not take legal action against you regarding the reported vulnerability. The Dutch Public Prosecution Service will never forfeit their right to investigate and prosecute unlawful actions.
- we respond to your report with an assessment within three days and provide an estimated time to resolution;
- we treat your report confidentially and will not share your personal data unless required by law;
- we will keep you informed of our progress in resolving the issue;
- in reporting on the vulnerability we will, if you wish, mention you as the contributor;
- reporting anonymously or under a pseudonym is possible. Please be aware that we will not be able to contact you on the next steps, our progress or any reward for the report;
- as a token of our appreciation for your help, we offer a reward for any first report of an unknown vulnerability. The exact reward will be determined by the severity of the vulnerability and the quality of the report, ranging from an honourable mention to a gift.
- we strive to resolve any vulnerability as soon as possible.
What doesn't classify as a vulnerability:
- Intentional listing of directory contents for research or publication purposes;
- SPF, DKIM, DMARC issues.
- Missing ‘secure’ or ‘http only’ flags on non-sensitive cookies
- Reporting obsolete or upgradable software versions without exploit and working proof of concept
- Missing DNSSEC configuration
- xmlrpc.php accessibility
- Clickjacking
Erasmus University Rotterdam also offers internet access, subdomains and hosting facilities for students, associations and incubator startup companies. Although these sites are on the university's network, they are not under (full) control of the university. Responsible disclosure notifications about these sites are accepted and reports are forwarded to the responsible persons, but then closed by the university. These reports do not result in an entry in the Hall of Fame and no updates on progress are provided.