Vulnerability disclosure policy

To report a vulnerability, please send an email to cvd@uwv.nl. You can use PGP encryption to send a PGP encrypted email. Make sure you do the following as well:

• include the IP address and/or URL of the page where you found the vulnerability 
• provide a description of the type of vulnerability you found 
• describe which steps need to be taken to reproduce and investigate the vulnerability 
• provide your name, telephone number and email address

You must not do any of the following when reporting a vulnerability:

• tell other people about the vulnerability before we have disclosed it to the public
• install malware (malicious software)
• copy, delete or change data in our systems
• disrupt our systems
• infiltrate our systems repeatedly
• use trial-and-error methods to guess passwords (‘brute force attack’)
• attempt a ‘denial of service’ (for example, by overwhelming our systems with requests)
• manipulate others to gain access to sensitive information (‘social engineering’)

We assure you that following these guidelines will protect you from legal actions. Your report will be treated confidentially and we will not share your personal information with anyone without your permission.

If you have identified and reported a vulnerability on our websites or platforms, we will acknowledge receipt of your email within 1 day of receiving it. We will evaluate your report and assess the extent to which the reported vulnerability poses a risk to the availability, integrity or confidentiality of UWV's systems or data. Your report will be assessed within 5 working days and we will keep you informed of our progress.

As a token of our gratitude, we may offer you a small reward for reporting a vulnerability. The reward will depend on the severity and scope of the security issue identified, and whether or not the vulnerability was already known to us. With your permission, your name could be eligible for a mention in our Hall of Fame.

Please note: We never offer money as a reward.