Coordinated Vulnerability Disclosure

Coordinated Vulnerability Disclosure

At Saxion, the security of our systems is very important to us. Despite our efforts to ensure the security of our systems, it is still possible that a weak spot may occur. If you have identified a weakness in one of our systems, please let us know so that we can act as soon as possible. We would like to work with you to protect our users and systems better and so limit impact and risks as much as possible.

Not an invitation for active scanning

Our so-called Coordinated Vulnerability Disclosure policy is not an invitation to actively scan our network or systems for vulnerabilities. We carry out our own monitoring of our organisation’s network. As a result, there is a good chance that we will pick up your scan, that Saxion Security Operations Centre (SOC) will conduct an investigation, which may lead to unnecessary costs.

Criminal prosecution

It is possible that during your own investigation you perform actions that are punishable under criminal law. If you have complied with the conditions below, we will not take legal action against you. However, the Public Prosecutor's Office maintains the right to decide whether to prosecute you.

What do we want you to do?

  • Mail your findings to soc@saxion.nl. Encrypt your findings with our PGP key to prevent the information from falling into the wrong hands.
  • Do not exploit the vulnerability found by downloading more data than necessary to demonstrate the vulnerability nor change nor delete the data.
  • Do not share the vulnerability with others until the vulnerability has been fixed.
  • Do not use attacks on physical security or third-party applications, social engineering, (distributed) denial-of-service, malware, or spam.
  • Please provide us with enough information to reproduce the vulnerability so that we can fix it as quickly as possible.

What we promise you:

  • We will respond to a report within 5 working days, give our assessment and say when we expect to have the vulnerability fixed;
  • We will treat the report confidentially and will not share the details of the reporter with third parties without the explicit permission of the reporter, unless this is necessary to comply with our legal obligations;
  • We would like to thank you for reporting a vulnerability in a responsible manner, by giving you a mention in our Hall of Fame.

Outside the scope

The Coordinated Vulnerability Disclosure policy only applies to Saxion University of Applied Sciences’ own systems and only to real vulnerabilities. Therefore, certain reports are outside its scope. Trivial vulnerabilities or bugs that cannot be exploited are not eligible for being included in the Hall of Fame. Below are examples of known vulnerabilities and accepted risks that fall outside the scope of the Coordinated Vulnerability Disclosure policy:

  • Authentication on public FTP mirrors for open-source projects;
  • Publicly offered software and/or source code;
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages and content spoofing/text injection on these pages;
  • Fingerprinting/version attribution on public services;
  • Missing limits on login attempts;
  • Disclosure of public records, data summaries, or non-sensitive information (e.g., robots.txt);
  • Clickjacking and problems that can only be exploited through clickjacking;
  • No secure/HTTP-only flags on non-sensitive cookies; Examples of sensitive cookies are session cookies and cookies containing personal data; Examples of non-sensitive cookies are load balancer preferences and language settings;
  • Options HTTP method enabled;
  • Erroneous referer header options;
  • Everything concerning mixed-content warnings;
  • Anything related to HTTP/XML security headers, such as:
    • Strict-Transport-Security
    • X-frame-options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy
    • Cross-Domain-Policy;
  • SSL configuration issues:
    • SSL forward secrecy disabled
    • Weak/insecure cipher suites
    • Host header injection;
  • Issues with SPF, DKIM, or DMARC;
  • Reporting outdated versions of software without a Proof of Concept of a working exploit;
  • Information leaks in metadata.