Coordinated Vulnerability Disclosure (English)



Coordinated Vulnerability Disclosure (CVD)

The Elkerliek Hospital considers the security of our IT-systems as a top priority. Despite the care and effort, that we put into the security of our IT-systems, there is nevertheless the possibility that there are vulnerabilities present.

If you discover such a vulnerability in our systems, you can safely report this to us. This approach is called Coordinated Vulnerability Disclosure (CVD). This enables us to take protective measures before the vulnerabilities become known to a larger audience.

Reporting a vulnerability

If you discover a vulnerability in our IT-systems, we would like to know about it so we can take protective measures as quickly as possible. The Elkerliek Hospital would like to work together with you to protect our customers and systems even better.

When you report vulnerabilities to us through Coordinated Vulnerability Disclosure, we would first ask you to verify that the report meets the appropriate specifications. Furthermo, we will not undertake legal action against you provided you comply with the conditions below:

  • Report your findings to the Z-Cert foundation by sending an e-mail to responsibledisclosure@z-cert.nl. You can use the PGP-key. The Z-Cert foundation is the organisation which takes care of the IT-security incidents for the Elkerliek Hospital. They work together with you as the reporter of the vulnerability and with the Elkerliek Hospital to make sure your report is being handled accordingly.
  • Provide sufficient information in your report, so the problem can be reproduced and we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
  • Do not abuse the vulnerability or problem, you have discovered. For example by downloading more information than necessary to demonstrate the vulnerability to us or by viewing, deleting or modifying data from others.
  • Do not share your findings with others until the issue is resolved. Furthermore we ask you to delete all confidential information that you received, after the vulnerability is resolved.
  • Do not attack our physical security and do not use social engineering, distributed denial of service, spam and/or applications of third parties.

 How we will handle your report:

  • The Elkerliek Hospital and Z-Cert foundation will handle your report strictly confidential and will not share your personal information with third parties, without your consent, unless we are legally obliged.
  • You will receive an acknowledgement of receipt from the Z-Cert foundation and within 3 working days you will receive a response to your report including an evaluation of the report and an expected resolution date.
  • As reporter of the vulnerability, Z-Cert will keep you informed of the progress towards resolving the problem.
  • In the public information concerning the reported problem, if desired, the Elkerliek Hospital will state your name as the person who discovered the issue.
  • In appreciation of your help, Elkerliek offers a small reward for every significant report of a security problem not yet known to us. This is a memento of the report and is in no way a monetary reward.

We strive to resolve all issues as quickly as possible. We would like to be involved in the possible publication of the issue, after it is resolved.

Lees de Nederlandse versie