...

Responsible Disclosure

NFIR beeldmerk kleur
NFIR beeldmerk kleur

Responsible Disclosure

NFIR attaches great importance to the security of its systems. In spite of our concern for the security of our systems, there may still be a weak spot.

If you have found a weak spot in one of our systems, please let us know so that we can take action as soon as possible. We would like to cooperate to better protect our customers and our systems.

We kindly request you not to report the following vulnerabilities:

  • Findings regarding denial-of-service (DoS) on www.nfir.nl as a result of Wordpress functions (i.e. xmlrpc.php).

We’re asking you:

  • Email your findings to security@nfir.nl. Encrypt your findings with our PGP-key to prevent the information from falling into the wrong hands;
  • • Do not abuse the problem by, for example, downloading more data than is necessary to prove the leak or accessing, deleting or modifying third party data;
  • Do not share the problem with others until it has been resolved, or delete all confidential data obtained through the leak immediately after the leak has been plugged;
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or third party applications;
  • Provide sufficient information to reproduce the problem so that we can solve it as quickly as possible. Usually the IP address or the URL of the affected system and a description of the vulnerability is sufficient, but in the case of more complex vulnerabilities more may be needed.

What we promise:

  • We will respond to your report within 2 business days with our review of the report and an expected date for resolution;
  • If you have complied with the above terms and conditions, we will not take any legal action against you regarding the report;
  • We will treat your report confidentially and will not share your personal data with third parties without your consent unless this is necessary to comply with a legal obligation. Reporting under a pseudonym is possible;
  • We will keep you informed about the progress of solving the problem;
  • In reporting the reported problem we will, if you wish, mention your name as the discoverer;
  • As a thank you for your help, we offer a reward for every relevant report of a security issue that is as yet unknown to us. We determine the size of the reward on the basis of the seriousness of the leak and the quality of the report.

We strive to solve all problems as quickly as possible and we are happy to be involved in any publication about the problem after it has been solved.

The above text is based on the Responsible Disclosure text by Floor Terra, which can be found at responsibledisclosure.nl and is published under a Creative Commons – Attribution 3.0 Netherlands – CC BY 3.0 NL license.

SECURITY INCIDENT BIJ UW ORGANISATIE?

De volgende 30 minuten zijn van cruciaal belang​!

De eerste 30 minuten na een cyber security incident zijn cruciaal, omdat een snelle en adequate reactie de schade kan beperken. Daarnaast kan verdere verspreiding van de aanval worden voorkomen en kan essentieel bewijsmateriaal veiliggesteld worden voor nader onderzoek.

Ons Computer Emergency Response Team (CERT) staat 24/7 klaar om bedrijven en organisaties te ondersteunen bij IT-beveiligingsincidenten.

Heeft uw bedrijf professionele hulp nodig bij een beveiligingsincident? 

* LET OP: Wij werken uitsluiten voor bedrijven en organisaties.

SECURITY INCIDENT AT YOUR ORGANIZATION?

The next 30 minutes are crucial!

The first 30 minutes after a cyber security incident are crucial because a quick and adequate response can limit the damage.
In addition, further spread of the attack can be prevented and essential evidence can be secured for further investigation.

Our Computer Emergency Response Team (CERT) is available 24/7 to support businesses and organizations during IT security incidents.

Does your company need professional help with a security incident?

* NOTE: We work exclusively for companies and organizations.