Fontys University of Applied Sciences believes the security of its systems is very important. Despite every effort to provide careful system security, there are always points for improvement and a vulnerability may occur. You can report this vulnerability to Fontys.
Please inform us if you discover any vulnerabilities in one of our systems. This will enable us to take measures as soon as possible. We would like to work with you to better protect our users and systems.
No invitation to scan actively
The Fontys 'Responsible Disclosure' policy is not an invitation to actively and extensively scan our network or our systems for vulnerabilities, since we monitor our company network ourselves. There is a good chance that we will pick up your scan and that our security team will investigate it, which could lead to unnecessary costs.
It is quite possible that, during your investigation, you will perform actions which are punishable under criminal law. If you have complied with the conditions below, we will not take legal action against you. However, the Public Prosecutor's Office retains the right to decide whether it will take legal action against you. Read the Public Prosecutor's policy directive on this topic (pdf).
Our request to you
Report your findings as soon as possible via the Responsible disclosure report form to prevent information from falling into the wrong hands.
Do not misuse the vulnerability found by, for example:
- downloading more data than is necessary to prove the data breach
- changing or deleting the information
- Be especially cautious with regard to personal data.
- Do not share this vulnerability with others until it has been remedied.
- Do not attack the physical protection or applications of third parties, or use social engineering, (distributed) denial-of-service, malware or spam.
- Provide enough information to reproduce the vulnerability, so we are able to remedy it as soon as possible. Usually, the IP address or the URL of the systems affected and a description of the vulnerability and the actions performed are sufficient, but more information may be necessary in the case of more complex vulnerabilities.
We guarantee that
- We will respond within 5 working days with our assessment of the report and an expected date for a solution.
- We will treat your report confidentially and will not provide your personal data to third parties without your permission, unless this is necessary for the fulfilment of statutory obligations.
- We will keep you informed on the progress of the solution for the vulnerability.
- You can make your report anonymously or under a pseudonym. However, if you do so we are not able to contact you about, for instance, the next steps, the progress of containing the breach, publication or any possible reward for the report.
- If you wish, when the vulnerability is reported we will state your name as the person who discovered the vulnerability.
- We can give you a reward for your investigation but we are not obligated to do so. Therefore, you are not automatically entitled to compensation. The form of this reward is not pre-established but will be decided by us on a case-by-case basis. Whether or not you will receive a reward and the way this is done depend on the diligence of your research, the quality of the report and the seriousness of the breach.
- We aim to solve all the problems as soon as possible and to inform all the parties involved. We welcome involvement in any publication about the vulnerability, after it has been remedied.