Coordinated Vulnerability Disclosure (CVD)

If you discover a weakness in a municipal system, you can report this via gemeente@epe.nl or incident@IBDgemeenten.nl. When using the IBD address, encrypt your email with the PGP key of the IBD. In case of emergency and during weekends and public holidays, you can report via the IBD.

• Provide enough information to reproduce the problem. Usually, the IP address or URL of the affected system and a description of the vulnerability are sufficient. For more complex vulnerabilities, additional information may be required.
• Don't abuse the problem by, for example, downloading more data than necessary to demonstrate the vulnerability. Or accessing, deleting, or modifying data belonging to third parties.
• Do not share the problem with others until it is resolved and delete all confidential data obtained through the vulnerability immediately after it is fixed.
• Do not use attacks on physical security, social engineering, distributed denial of service, spam, or third-party applications.
• Provide your contact details so we can reach you. Provide at least one email address or phone number.
• Report the weak spot as soon as possible.

• We will not take any criminal or civil action against you if you comply with the points under 'What we ask'.
• Your report will be treated confidentially.
• If necessary, the municipality of Epe will share the factual information about the report with the IBD so that other municipalities can be informed.
• In mutual agreement, we can mention your name as the discoverer of the reported vulnerability if you wish. In all other cases, you will remain anonymous.
• You will receive confirmation of receipt within 1 working day.
• You will be kept informed of the progress of the solution. 

By submitting a report, you agree to the terms of the Coordinated Vulnerability Disclosure.

For a valid report, reporters will receive an entry in the Hall of Fame of the Municipal Information Security Service.