Responsible disclosure

Responsible disclosure

At Groningen Seaports, we consider the security of our systems as very important. But no matter how much effort we put into system security, there still can be vulnerabilities present. If you have discovered a vulnerability in one of our systems, please let us know so that we can take measures as quickly as possible. We would like to work with you to better protect our customers and our systems. You can send a report to security@groningen-seaports.com.

What to do:

  • Make a report as soon as possible to prevent a malicious person from finding the vulnerability and exploiting it.
  • Make a confidential report to the organization to prevent others from gaining access to this information.
  • Provide enough information to reproduce the problem so that we can resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more complex vulnerabilities may require more.

What not to do:

  • Do not disclose the vulnerability or problem to others.
  • Do not place your own backdoor in a system and then use it to demonstrate the vulnerability, as this can cause additional damage and lead to unnecessary security risks.
  • Do not abuse a vulnerability beyond what is necessary to establish the vulnerability.
  • Do not copy, modify or delete any data from the system. An alternative to this is to create a directory listing of a system.
  • Do not make any changes to the system.
  • Do not repeatedly access the system or share access with others.
  • Do not use brute force attacks, social engineering, physical security attacks, distributed denial of service, spam or third party applications to gain access to systems.

What is excluded:

  • Microsoft Office 365 environment. Vulnerabilities for this environment can be reported here.

What we promise:

  • We try to respond to your report within 5 business days with our assessment of the report and an expected date for a solution.
  • If you have complied with the above conditions, we will not take legal action against you regarding the report.
  • We treat your report confidentially and do not share your personal information with third parties without permission, unless this is necessary to comply with a legal obligations. Reporting under a pseudonym or anonymously is possible.
  • We will keep you informed of the progress of solving the problem.
  • We aim to resolve all issues as quickly as possible and would like to be involved in any publication of the issue after it has been resolved.

This ‘responsible disclosure’ policy is based on an example written by Floor Terra and the responsible disclosure guideline of the NCSC.

Version: 1.0
Date: March 8, 2023