Coordinated Vulnerability Disclosure
At Aafje we find the safety of our own systems very important. Despite our concern for the security of our systems, it is possible that there is a weak spot.
If you have found a weak spot in one of our systems, we would like to hear this so that we can take measures (together with our partner Z-CERT) as soon as possible. We would like to work with you to better protect our participants and our systems. If you comply with our Coordinated Vulnerability Disclosure policy we have no reason to take legal action against you regarding the reported vulnerability.
How we will handle your report:
We strive to resolve any vulnerability as soon as possible. Once the problem has been resolved we will decide in consultation whether and how details will be published.
Z-CERT will not process reports of vulnerabilities or security issues that can not be abused or are trivial. Below are a couple of examples of known vulnerabilities and issues that are outside the scope. This does not mean they are not important or should not be resolved, however our CVD process is meant for issues that can be actively abused. For example a vulnerabilities that can be abused by a public available exploit or a misconfiguration that can be used to bypass an existing security control. This list of exclusions is derived from a list used by the CERT of Surf.
Last update: july 2023