0
0
home Responsible disclosure

Responsible disclosure

Summa considers the security of our systems to be of paramount importance. Despite our commitment to system security, vulnerabilities may still exist. If you've discovered a vulnerability in one of our systems, please let us know so we can take action as quickly as possible. We'd like to work with you to better protect our users and our systems.

We ask:
  • Email your findings to servicepunt@summacollege.nl or contact the Service Point by phone via 040 269 4411;
  • Not to abuse the vulnerability by, for example, downloading more data than is necessary to demonstrate the leak or to view, delete or modify third-party (personal) data;
  • Not to share the vulnerability with others until it has been resolved and to delete all (confidential) data obtained through the leak immediately after the leak has been resolved;
  • Not to use physical security attacks, social engineering, distributed denial of service, spam, or third-party applications;
  • Provide enough information to reproduce the problem so we can resolve it as quickly as possible. The IP address or URL of the affected system and a description of the vulnerability are usually sufficient, but more information may be required for more complex vulnerabilities.

We pledge:
  • We will respond to your report within 3 working days with our assessment of the report and an expected date for a resolution;
  • If you have complied with the above conditions, we will not take any legal action against you in relation to the report*;
  • We will treat your report confidentially and will not share your personal information with third parties without your permission, unless this is necessary to comply with a legal obligation. Reporting under a pseudonym is possible;
  • We will keep you informed of the progress of fixing the vulnerability;
  • In our reporting on the reported issue, we can, if you wish, mention your name or organization as the discoverer. We strive to resolve all issues as quickly as possible and would appreciate being involved in any publication about the issue after the vulnerability has been fixed.

Please note: our responsible disclosure policy is not an invitation to extensively test or scan our network for vulnerabilities. There is a chance that you may perform actions during your research that are punishable under criminal law. The fact that Summa will not file a criminal complaint against you under this responsible disclosure policy does not preclude others from initiating a criminal investigation into your actions.