At the Antoni van Leeuwenhoek, we work hard to maintain and improve the security of our (medical) devices, systems, and services. No matter how much effort we put into our system security, there might be vulnerabilities present. If you discover a vulnerability, you can report it safely via our Coordinated Vulnerability Disclosure, so the AVL can take safety measurements.
If you have found a vulnerability, we would like to hear about it so that we can take appropriate measures as soon as possible. The AVLis eager to cooperate with you to better protect our clients and systems. Our Coordinated Vulnerability Disclosure policy is not an invitation to proactively scan our network/systems for vulnerabilities. We monitor our network/systems continuously ourselves; Thus, a vulnerability scan is likely to be noticed and investigated by our IT department, and unnecessary expenses may occur as a result.
If you comply with our Coordinated Vulnerability Disclosure policy we have no reason to take legal action against you regarding the reported vulnerability. We ask you to:
- Submit your findings to Z-CERT by sending an email to cvd@z-cert.nl encrypted with our PGP-key. ZCERT is an organization that handles all cyber security issues on behalf of the AVL. Z-CERT will work with you and the AVL to make sure that your report is handled with care.
- Provide adequate information to allow Z-CERT to reproduce the vulnerability which helps to resolve the problem as quickly as possible. An IP address or URL of the affected system with a description of the vulnerability will usually be sufficient, although more information might be necessary for more complex vulnerabilities.
- Do not exploit vulnerabilities, e.g. by downloading more data than is needed to demonstrate the vulnerability, looking into third-party data, deleting or modifying data.
- If you suspect to have access to medical data we ask you to let us verify this.
- Do not share information on vulnerabilities until they have been resolved and erase any data obtained through vulnerabilities as soon as possible;
- Do not attack physical security, use social engineering, distributed denial of service, spam, brute force attacks, or third-party applications.
How we will handle your report:
- AVL and Z-CERT will treat your report confidentially and will not share your personal data unless required by law;
- Z-CERT will send you an acknowledgment of receipt and will respond to your report with an evaluation and an expected resolution date within 5 working days;
- AVL and Z-CERT will keep you informed of the progress in resolving the problem;
- In communication about the reported problem, we will mention your name as the discoverer of the problem (unless you desire otherwise).
- In case of a non-trivial vulnerability, you can choose to be named in our hall of fame. In exceptional cases, which depend on the severity of the vulnerability and quality of the report, we can decide to reward you.
We strive to resolve any vulnerability as soon as possible. Once the problem has been resolved we will decide in consultation whether and how details will be published.
AVL does not offer rewards for trivial vulnerabilities or bugs that cannot be abused.
The following are examples of known and accepted vulnerabilities and risks that are outside the scope of the responsible disclosure policy:
- HTTP 404 codes/pages or other HTTP non-200 codes/pages and Content Spoofing/Text Injection on these pages.
- Fingerprint version banner disclosure on common/public services.
- Disclosure of known public files or directories or non-sensitive information, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
- OPTIONS HTTP method enabled.
- Rate-limiting without clear impact.
- Anything related to HTTP security headers, e.g.:
o Strict-Transport-Security.
o X-Frame-Options.
o X-XSS-Protection.
o X-Content-Type-Options.
o Content-Security-Policy.
- SSL Configuration Issues:
o SSL forward secrecy not enabled.
o weak / insecure cipher suites.
- SPF, DKIM, DMARC issues.
- Host header injection.
- Reporting older versions of any software without proof of concept or working exploit.
- Information leaks in metadata.