Coordinated Vulnerability Disclosure Policy

Our dependence on digital infrastructure is ever increasing. This applies to society as a whole, but also to ourselves. It is therefore our opinion that governments and organisations (including ours) should strongly commit to securing our digital infrastructure. We do realise that, in spite of our best intentions and greatest care, vulnerabilities may exist in our systems. If you do happen to find one of these weaknesses, we would love to hear from you so we can resolve the issue.

What we expect from you

  • When you are investigating one of our systems, bear in mind the proportionality of the attack. There is no need to demonstrate that when you subject our website to the largest DDos-attack in the history of the internet, the site may become unreachable. We know that. We also understand that if you drive a bulldozer into our office, you will probably be able to snatch one of our laptops
  • This principle of proportionality is also relevant when demonstrating the vulnerability itself. You should not inspect or modify more data then strictly necessary in order to confirm the validity of your finding. For instance, if you are able to modify our homepage, just add a single non-controversial word to it instead of taking over the entire page. If you can obtain access to a database, it suffices to show us a list of the tables that are in there, or perhaps the first record in one of these tables
  • A vulnerability in one of our systems should be reported as soon as possible by sending an email to security@greenhost.net. Preferably you would encrypt your message using OpenPGP. Please provide enough information so we can reproduce and investigate the issue
  • The public OpenPGP key for security@greenhost.net (see below for details)
  • You will not share your knowledge of the vulnerability with other parties as long as we have not addressed the issue and we are still within a reasonable time frame since you reported the issue
  • You will delete all confidential information you have obtained during your investigation as soon as we have resolved the vulnerability.

What you can expect from us

  • We will respond to your report within three days in a detailed manner. We will include an estimate of the time we will require to address the issue. Of course, we will regularly keep you posted on our progress
  • We will resolve the vulnerability as soon as possible. Here too, proportionality is important: the amount of time required to fix a vulnerability depends on several factors, among which the severity and the complexity of the issue at hand
  • When you follow the guidelines that are laid out here, we will not take legal action against you regarding your report
  • It is important to us to credit you for what you did - if you wish. We will mention your name in a publication regarding the vulnerability only if you agree to this
  • As a thank you for helping us in better protecting our systems, we would like to reward every report of a vulnerability that was unknown to us at the time. The reward will depend on the severity of the vulnerability and the quality of the report
  • Should you find a vulnerability in third party software that we use and that vulnerability is covered by a bug bounty program, we will not try to claim this bounty; you should.

CC-BY-NC BOF.NL

GPG Fingerprint and public key

Contact email address: security@greenhost.net

GPG Fingerprint: 207C FAB6 ACD9 EF3E C5B3 C8FA F965 32D2 7CF8 368E

Full GPG public key:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFwPv+wBEACqva6tYCjRTh6u6dqAW5opx5ZPwbFI8LiIsR7tLonXUuy11hLU
MZgLdDh5qth1JHn8336MTOXpeCdRY+JQaShDvOQ4xyjDsHitUqk24oTQqsV+qNFz
rONvrZw/VGt/T4c6HfhB+HT9q72bnnnHIBsinFWhPHEHFPWCUEUXpDZeBnjVMSd1
GIDc9Wv0+/uYAonQ6NL6PltjXGVW8XbJktOlB10efcKJekmmoAcyfVyJZEJZC30f
eDvHd7sk0BC2VqXI0XR29nx8B5jpdHyobA2dpbbRMB87rv+YghrsVq/wx3kk4IGO
DFNkmJDnWCuM7DQ8OPAGw1OFu2UpgjhoVzjVsop+e+Y6J+pAwOgapTQ0FYXZvtCa
bYVehDyYYrGQY1+LTftNU5JZWV7ZD7g4nzGBnkFxRGKOQYdltcUdMZTrnT/PFNCH
DK7bU9+Zd06WIg1fYUKkBBXNP3IvRIoCz2ElOg/6IWSuzWJ+tnmhif8UZSFAsvWH
YHEOlZOcLSO1j7CBY8auCzMJmcRPAlQF77HUqIdRDE5HSH2tz4izZ4l76jTytcDG
dPrPP+tpNT8IHDrwEs2sCBozn/QKTN2VIxQVjIqTfij/LD6lkWqwpSqN6f2DGCB9
7GXuC1cV3ZnV4QkYPpxgaAEcvGKCE9qFYfdpieFBmLXyuu8FGxCN3lELYwARAQAB
tEBHcmVlbmhvc3QgU2VjdXJpdHkgKEdyZWVuaG9zdCBTZWN1cml0eSkgPHNlY3Vy
aXR5QGdyZWVuaG9zdC5uZXQ+iQJUBBMBCAA+FiEEIHz6tqzZ7z7Fs8j6+WUy0nz4
No4FAlwPv+wCGwMFCQlmAYAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQ+WUy
0nz4No6OmxAAi2e4ITaU2vrg28biV0DIbMzn8VsBHUuJX8fap/G+b0sk2Zl/TbI4
ruegM4sze+RWxi4Xiwl9wo3r8qsAm1QJ4dMjqVauX0wexRmNBTMYaf13T2apL6xj
Lruq0x4yvkZClFV4R8C2huZ0/qscLgY/ariPOCAeqCM84Mf3r4sFJ6LH7lKWUoiu
x1JCXDvKW1FpZKPUzKerFCD5e2AQ5OwJR7RmUG1HadLDchIT/83CzZVoAng6sGSE
ClhCmTnh2/iSdPogCC4kMP0K1RC1GFvj1IsJrGxBkaWQ3UgX73DKhJfie162tAme
XV1yh5hFPu4XFMMldxESPQiduJd0jS9sK6oBqk9bjOLRY7wMv8IR3qbngekAo6kg
2f/RSsrmz/eRr3A0TGJH7QTG6u60XH3pHnKiV2DMtPvlTapS6pKmQsH9f/n4Fiag
1226hymrmc72KMy/Ir95FlEm/CGd3gDgk4fFs2nUV/XWUMjdjb79eKnPVmw5vyUz
CMW1/lSr0EwbXdzXkanmr2VYcu7pUiHm4ju5eflyK8lv6HlIQ8rrfAVOmvHzyufx
j/m6e2XQF5yhwk5jT17lMmKpZNCsY7YId1xL+9m7+I1fXxRAFwAmrRy/92XT+pjj
Wm87Bepl0GICINKcLdQePnd+WjNoaY13slH70PZMP2/SVU8F705v/Ba0P0dyZWVu
aG9zdCBTZWN1cml0eSAoR3JlZW5ob3N0IFNlY3VyaXR5KSA8c2VjdXJpdHlAZ3Jl
ZW5ob3N0Lm5sPokCVAQTAQgAPhYhBCB8+ras2e8+xbPI+vllMtJ8+DaOBQJcD8EM
AhsDBQkJZgGABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEPllMtJ8+DaOzEYP
/2Wm59M4G7OlFlT1yQ2SQs713dsIZI6tBi1kcoaIP+R1tS7EBDNdUWo2ETFIYQTs
0+w6A4aLPN+P9Piti1MFKQxKvYtmDBWOiYRALOifC8epEThZoyEorVdqRl8MxpJQ
eR1K9l0Tl00Oj3RQSod16RR53rziMTxWccLdSRNgJxY21PPZaCP34Uap2xMLCOPR
TjNh+aVCr3mjFwTIBUpTUsCJcvpvK7TFXqd1Agvag07r5ISA/WU6FqMnVSEsTDZT
FeQnyyC+WSU7ko9LSqG08tZhH0VGIy90uz6jYNgtE/9kHHzMivqUgSDkWUkQJg5e
Os+YeA/XaA+Bv51MDCH+4bp+YzacMsMEySFi+VZ8g/UdmiQQFS9hDS9j20+U6oUk
1gfOUum5vhBmQSQpgrxN7zZevwwVrHJHKZNKaupg9jhjCP1P+VTcaNMihQ8WV9b9
ymUJ+hXmAPb65EfKENtNBDBmqrAry2s00RzKDmceAkKuK3oUzICYS3DNUzBWZrlw
0fAXP51Fi5ayrFRHhv6bLK44VxLQvwjeM4RJkzq6hNfglZN+7pLPIWzTDeVJJMxB
x9TFdBpev13xfVFFK8joH+ifPea5hX9+8a69Nd5yMKJHwsvcf4pqUhRhKsDnNNQD
HXC8IHe+AvSzbVeIl9zzbWfwjZ1ehatf2WSRo4DX4zhRuQINBFwPv+wBEADB9Bh9
p8y8lzk3dUm5RHToyV7qua1kXompBKrX0GABzRoD8L+2ETIucJq5I2rYClFh/ozG
jR4J0DegDYGfX0ZA8IQL12t51VlP8+jLV4xxSlomE1CXu5RIW1a+1DqBPZk9HcMT
V++zCQsRcP362RcVJPRsnvabcg8gVo2G/INTV8V63bWTPeh0wqlzQEnWg5km+AYX
gnliAkGGCcFTM+SmGumqoQXQyAI+Vkp7t0S9GoMq9RU7Cz3ydFMfH0ak+YX6k0x/
ekOxUJ9bNaBGAAo5qoEVHFUBqxrtrmwDtHEMuVY4boEgHQIalfghcrYHieS6CJ2s
uh1GV+pa8YJ0QqYiZNHnzufCYBGIWmrp8/9PsnmmRE09LDZ8LwldxjCypuPvpYGR
6Hhb6u0zxjl/PBUvaSmu5MheJcjlGMUvSEMvxTm75IgI7sHmZWqpw6/srKLrOLIj
WwXN4vbHYZRxiEzrivvokD/9wu78kIDH+Pdj9k4qa7crhOfZMYxVNnok0FI4I/Eq
baU+QlyT3b4zeRQGgqEggDm8OaVWlOSfVQjOrLLmmszu8mWvglUHrj/GEzpOONmx
iqcP/iqmk61bi2aGPdIa5yBvju7VlxoX0eg5OIXQJylPiA6LUkFcCS2M/rQXIB+H
5Tn/tnJrtaXuzL1XWl1vGLLt8lU1a2m59WGceQARAQABiQI8BBgBCAAmFiEEIHz6
tqzZ7z7Fs8j6+WUy0nz4No4FAlwPv+wCGwwFCQlmAYAACgkQ+WUy0nz4No4Cgw//
ar//9UNt3677JGFWJpc3z35gn51rT/lLJWTCOub5KnoYo+kRLCDttfl+wIs/TBIo
kp4E9w6fMDlVvwBEGWcku/LquG9NoysPddO9TcE4q1GGGxWZbUInnOR2TSW1fhwF
72Jle8mP/X+8tr5siny18IORD2y3ckFVTXbLKXKg/hRzIXgCPePPoivSq7oQyOQf
FhJWOxM72rsgHtjHCZEWoSjQFtR0/RIuTy8zHDp8lvjcZKJpZQ9bMhCA8inEMvqs
nfnYOlby3PqHp2FPP3AlTPhY9oG3Yr9ZdMNrfbz5a7OnuWuB1qyJontbX22C4fQW
/rQHLlcDeFnUPPJCWcL1z68/A3U9117m0DIHkhFxDHZYy94l+z61Qe+vhJdqppCi
rSjL45iUcDSeK/9d/ty6OpGAm9iZh7+XS/ih7t/XzYF3VcJSaHdVhWy/krLV8Tlm
RNNYDbEeiuS4NPlOqNXQ0UdB6MewYKUfl3BKBAVMY9AOjWLrgM0i5ywNmE5/CAEB
gUpg3zZA4/sRYevLVMpCyEXll08peOL4YomIxiFceDMBDmTg8gxZZgH5CDn12yui
eYJbq3WxYFY+tBZZkIdfPk8CWVfE8r6stBoYBGdGlGmmuISF7wdIvXJVthqA6XP8
ID25sYrtswyN2WMDyIbgXm+8Kc5+sZKItDvd+WetAoI=
=09Sr
-----END PGP PUBLIC KEY BLOCK-----