Responsible disclosure

At Groningen Seaports, we believe the safety of our systems is of the utmost importance. Despite our attention to the security of our systems, it may happen that there is a  vulnerability. If you have found a vulnerability in one of our systems, we would be pleased to hear from you, so we can take measures as soon as possible. We would like to work together with you to protect our clients and systems better. Please report the vulnerability to security@groningen-seaports.com.

What to do:

• By reporting the issue as soon as possible, you prevent people who act in bad faith finding and abusing the same vulnerability.
• Report the issue confidentially to the organisation to prevent others from gaining access to this information.
• Provide sufficient information to reproduce the issue, so we can resolve it as soon as possible. Generally, the IP address or the URL of the system in question and a description of the vulnerability is sufficient, but in case of more complex vulnerabilities, more may be needed.

DON’TS:

• Do not disclose the vulnerability or the issue to others before it has been resolved.
• Do not put your own backdoor in an information system in order to demonstrate the vulnerability, as this may cause additional damage and produce unnecessary security risks.
• Do not abuse a vulnerability any further than necessary to ascertain the vulnerability.
• Do not copy, amend, or remove data from the system. An alternative is to create a directory listing of a system.
• Do not make changes to the system.
• Do not obtain repeated access to the system or share access with others.
• Do not use bruteforce attacks, social engineering, attacks on physical security, distributed denial of service, spam or applications of third parties to access systems.

What is excluded:

• Microsoft Office 365 environment. Vulnerabilities for this environment can be reported here.

What do we promise:

• We endeavour to respond to your report within 5 working days with our assessment of the report and an expected resolution date.
• If you complied with the above conditions, we will not take legal steps against you in respect of the report.
• We treat your report confidentially and do not share your personal details with others without your consent, unless this is required to comply with a statutory obligation. It is possible to report under a pseudonym or anonymously.
• We will keep you informed of the progress of the resolution of the problem.
• We strive to resolve all issues as soon as possible, and would like to be involved in any publication of the issue after it has been resolved.

This ‘responsible disclosure’ policy is based on an example prepared by Floor Terra and the responsible disclosure guidance of the NCSC.

Version: 1.0
Date: 8 March 2023