Coordinated Vulnerability Disclosure (CVD)

At LUMC we work hard to maintain and improve the security of our systems; nevertheless vulnerabilities may occur in our systems. Our Coordinated Vulnerability Disclosure (CVD) policy requests anyone discovering a vulnerability to inform us before he or she makes it know to the outside world, so we are able to take timely action.

Attention: this CVD policy is not an invitation to scan our network for vulnerabilities. We monitor our network continuously ourselves. Thus, a vulnerability scan is likely to be noticed, investigated upon by the CERT and unnecessary expenses will occur.

How can we work together to secure systems?

We ask you:

  • send your findings to the email address as soon as possible; preferably encrypted with our PGP key (pdf) to prevent your findings falling in the wrong hands. De fingerprint of our PGP-key is: A760 25FB 1DD7 4AC8 D935 8F65 6860 AB70 CCB8 7BCE;
  • do not exploit vulnerabilities, e.g. by downloading more data than is needed to demonstrate the vulnerability, looking into third-party data, deleting or modifying data. Be extra cautious when personal data is involved;
  • do not share information on vulnerabilities until they have been resolved and erase any data obtained through vulnerabilities as soon as possible;
  • do not attack physical security or third-party applications, use social engineering, spam or orchestrate (distributed) denial of service attacks;
  • provide sufficient information to allow us to reproduce the vulnerability and provide a quick resolution.

An IP address or URL of the affected system with a description of the vulnerability will usually be sufficient, but complex vulnerabilities may need additional information.

We promise:

  • If you comply with the above requests we will not take legal action against you regarding the reported vulnerability. The Dutch Public Prosecution Service will never forfeit their right to investigate and prosecute unlawful actions.
  • We respond to your report with an assessment within five working days and, when necessary, provide an estimated time to resolution.
  • We treat your report confidentially and will not share your personal data unless required by law.
  • We will keep you informed of our progress in resolving the issue.
  • In reporting on the vulnerability we will, if you wish, mention you as the contributor.
  • Reporting anonymously or under a pseudonym is possible. Please be aware that we will not be able to contact you on the next steps, our progress or possible publication.
  • As a token of our appreciation for your help, we offer a reward for any first report of an unknown vulnerability. This reward consists of an honorable mention.
  • We strive to resolve any vulnerability as soon as possible.

What doesn't classify as a vulnerability:

  • Intentional listing of directory contents for research or publication purposes
  • SPF, DKIM, DMARC issues.
  • Missing ‘secure’ or ‘http only’ flags on non-sensitive cookies
  • Reporting obsolete or upgradable software versions without exploit and working proof of concept
  • Missing DNSSEC configuration
  • xmlrpc.php accessibility
  • Clickjacking (or framing)

The foregoing is not an exhaustive list; our systems are subjected to regular security audits. Security issues that arise from this, are of course also considered to be known issues.

Word of thanks

The LUMC would like to thank the following persons for reporting vulnerabilities. Because of their effort we could make sure that our security is up-to-date.