search

menu

  • Research Research
    • Where science meets inspired minds

    • Back
    • Research
    • Our Science
    • Research Groups
    • Facilities & Platforms
    • Clinical research
    • Find a researcher
    • Publications
    • Knowledge Transfer
  • Careers & study Careers & study
    • Become a leader in cancer research

    • Back
    • Careers & study
    • Vacancies
    • Faculty
    • Scientific staff
    • Scientific support staff
    • Postdoctoral fellows
    • PhD Students
    • Operational staff
    • Clinical fellows
    • Life in Amsterdam
    • Student internships
  • News & Events News & Events
    • Check out our stories and events

    • Back
    • News & Events
    • News
    • Media & Press
    • Calendar
  • About us About us
    • Maximum impact for cancer patients

    • Back
    • About us
    • Our vision
    • Organization
    • Collaborations
    • Responsible Research
    • Support us
    • Visit us
    • Contact us
  • Support us
Support us
  • Home
  • Disclaimer
  • About us
  • Organization
  • Disclaimer
  • Coordinated Vulnerability Disclosure

Coordinated Vulnerability Disclosure

At the Netherlands Cancer Institute, we work hard to maintain and improve the security of our (medical) devices, systems, and services.  No matter how much effort we put into our system security, there might be vulnerabilities present. If you discover a vulnerability, you can report it safely via our Coordinated Vulnerability Disclosure, so the NKI can take safety measurements.

Reporting a vulnerability
If you have found a vulnerability, we would like to hear about it so that we can take appropriate measures as soon as possible. The AVLis eager to cooperate with you to better protect our clients and systems. Our Coordinated Vulnerability Disclosure policy is not an invitation to proactively scan our network/systems for vulnerabilities. We monitor our network/systems continuously ourselves; Thus, a vulnerability scan is likely to be noticed and investigated by our IT department, and unnecessary expenses may occur as a result.

If you comply with our Coordinated Vulnerability Disclosure policy we have no reason to take legal action against you regarding the reported vulnerability. We ask you to:

  1. Submit your findings to Z-CERT by sending an email to cvd@z-cert.nl encrypted with our PGP-key. ZCERT is an organization that handles all cyber security issues on behalf of the NKI. Z-CERT will work with you and the AVL to make sure that your report is handled with care.
  2. Provide adequate information to allow Z-CERT to reproduce the vulnerability which helps to resolve the problem as quickly as possible. An IP address or URL of the affected system with a description of the vulnerability will usually be sufficient, although more information might be necessary for more complex vulnerabilities.
  3. Do not exploit vulnerabilities, e.g. by downloading more data than is needed to demonstrate the vulnerability, looking into third-party data, deleting or modifying data.
  4. If you suspect to have access to medical data we ask you to let us verify this.
  5. Do not share information on vulnerabilities until they have been resolved and erase any data obtained through vulnerabilities as soon as possible;
  6. Do not attack physical security, use social engineering, distributed denial of service, spam, brute force attacks, or third-party applications.

How we will handle your report:

  1. NKI and Z-CERT will treat your report confidentially and will not share your personal data unless required by law;
  2. Z-CERT will send you an acknowledgment of receipt and will respond to your report with an evaluation and an expected resolution date within 5 working days;
  3. NKI and Z-CERT will keep you informed of the progress in resolving the problem;
  4. In communication about the reported problem, we will mention your name as the discoverer of the problem (unless you desire otherwise).
  5. In case of a non-trivial vulnerability, you can choose to be named in our hall of fame. In exceptional cases, which depend on the severity of the vulnerability and quality of the report, we can decide to reward you.

We strive to resolve any vulnerability as soon as possible. Once the problem has been resolved we will decide in consultation whether and how details will be published.

Out-of-Scope statement
The NKI does not offer rewards for trivial vulnerabilities or bugs that cannot be abused. 
The following are examples of known and accepted vulnerabilities and risks that are outside the scope of the responsible disclosure policy:

  1. HTTP 404 codes/pages or other HTTP non-200 codes/pages and Content Spoofing/Text Injection on these pages.
  2. Fingerprint version banner disclosure on common/public services.
  3. Disclosure of known public files or directories or non-sensitive information, (e.g. robots.txt).
  4. Clickjacking and issues only exploitable through clickjacking.
  5. Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  6. OPTIONS HTTP method enabled.
  7. Rate-limiting without clear impact.
  8. Anything related to HTTP security headers, e.g.:
    o Strict-Transport-Security.
    o X-Frame-Options.
    o X-XSS-Protection.
    o X-Content-Type-Options.
    o Content-Security-Policy.
  9. SSL Configuration Issues:
    o SSL forward secrecy not enabled.
    o weak / insecure cipher suites.
  10. SPF, DKIM, DMARC issues.
  11. Host header injection.
  12. Reporting older versions of any software without proof of concept or working exploit.
  13. Information leaks in metadata.

Where science meets inspired minds

Contact

Plesmanlaan 121
1066CX Amsterdam

020 512 9111 communicatie@nki.nl

Quick links

  • Vacancies
  • News
  • Contact us
  • Media & Press

Follow us on

Disclaimer
Privacy statement
Cookies
Change cookie settings

This site uses cookies

This website uses cookies to ensure you get the best experience on our website.