Responsible disclosure

Fontys University of Applied Sciences believes the security of its information systems is very important. Despite every effort to provide careful system security, there are always points for improvement and a vulnerability may occur. You can report this vulnerability to Fontys.

Collaboration

Please inform us if you discover any vulnerabilities in one of our information systems. This will enable us to take measures as soon as possible. We would like to work with you to better protect our users and systems.

No invitation to scan actively

The Fontys 'Responsible Disclosure' policy is not an invitation to actively and extensively scan our network or our systems for vulnerabilities, since we monitor our company network ourselves. There is a good chance that we will pick up your scan and that our security team will investigate it, which could lead to unnecessary costs.

Criminal prosecution

It is quite possible that, during your investigation, you will perform actions which are punishable under criminal law. If you have complied with the conditions below, we will not take legal action against you. However, the Public Prosecutor's Office retains the right to decide whether it will take legal action against you. Read the Public Prosecutor's policy directive on this topic (pdf).

Our request to you
  • Do not misuse the vulnerability found by, for example:

    • downloading more data than is necessary to prove the data breach
    • changing or deleting the information
  • Be especially cautious with regard to personal data.
  • Do not share this vulnerability with others until it has been remedied.
    • Do not attack the physical protection or applications of third parties, or use social engineering, (distributed) denial-of-service, malware or spam.
    • Provide enough information to reproduce the vulnerability, so we are able to remedy it as soon as possible. Usually, the IP address or the URL of the systems affected and a description of the vulnerability and the actions performed are sufficient, but more information may be necessary in the case of more complex vulnerabilities.
    We guarantee that
    • We will respond within 5 working days with our assessment of the report and an expected date for a solution.
    • We will treat your report confidentially and will not provide your personal data to third parties without your permission, unless this is necessary for the fulfilment of statutory obligations.
    • We will keep you informed on the progress of the solution for the vulnerability.
    • You can make your report anonymously or under a pseudonym. However, if you do so we are not able to contact you about, for instance, the next steps, the progress of containing the breach, publication or any possible reward for the report.
    • If you wish, when the vulnerability is reported we will state your name as the person who discovered the vulnerability.
    • We aim to solve all the problems as soon as possible and to inform all the parties involved. We welcome involvement in any publication about the vulnerability, after it has been remedied.

    Our policy falls under a Creative Commons Attribution 3.0 licence. The policy is based on the example of Floor Terra and Surfnet