Coordinated Vulnerability Disclosure

Gemeente Heerlen attaches great importance to the security of its systems. Despite all precautions, it remains possible that a weakness in the systems can be found. If you discover a vulnerability in one of our systems, we would like to hear from you so that we can take appropriate action quickly. By making a report, you agree to the following agreements on Coordinated Vulnerability Disclosure and the municipality of Heerlen will handle your report in accordance with the agreements below.

What to expect:

  • We treat a report confidentially and do not share a reporter's personal information with third parties without their consent, unless we are required to do so by law or court order.
  • We always share the received report with the Information Security Service for Municipalities (IBD). In this way, we ensure that municipalities share their experiences in this area.
  • By mutual agreement, if you wish, we may include your name as the discoverer of the reported vulnerability. In all other cases, you will remain anonymous.
  • We will send you an (automatic) confirmation of receipt within 1 business day.
  • We respond to a report within 3 business days with an (initial) assessment of the report and possibly an expected date for resolution.
  • We will resolve the security issue you reported as quickly as possible. We strive to keep you well informed of the progress and never take longer than 30 days to solve the problem. However, we are often dependent on suppliers.
  • It can be mutually agreed whether and how to publish about the problem after it is resolved.

We ask the following of you:

  • Email your findings to informatiebeveiliging@heerlen.nl. If possible, encrypt the findings with cryptshare via Parkstad-IT' s secure environment to prevent the information from falling into the wrong hands.
  • Please provide enough information to reproduce the problem so that we can resolve it as soon as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be required for more complex vulnerabilities.
  • We welcome tips to help us solve the problem. Please do limit your tips to verifiable factual information related to the vulnerability you have identified and avoid that your advice actually amounts to advertising specific (security) products.
  • Please leave contact information so we can get in touch with you to work together for a safe outcome. Please leave at least one email address or phone number.
  • Please submit the report as soon as possible after discovery of the vulnerability.