Responsible
disclosure

At Naturalis Biodiversity Center, cybersecurity is high on the agenda and every effort is made to keep ICT systems secure. Despite our efforts, it may happen that a vulnerability has been overlooked. If you have found a vulnerability, we would like to hear from you, to fix it as soon as possible. Please send an email to csirt@naturalis.nl with a description of your findings, the IP address or URL where the vulnerability was found, possibly with an attachment. 

In doing so, Naturalis asks: 

  • to not abuse the found vulnerability: to not download more data than necessary, to not edit or delete data, to not share the data with others;
  • to not publish or share the vulnerability before it has been fixed and
  • to delete any downloaded data after transfer to Naturalis.

Naturalis does not agree to demonstrate a vulnerability by:

  • placing malware;
  • using brute force to gain access;
  • conducting a Denial of Service attack;
  • using Social Engineering.

Naturalis promises:

  • to respond substantively to your report within 3 business days;
  • to not to take legal action if these conditions are met;
  • to treat your report confidentially and not share your personal information without your consent, unless necessary to comply with legal obligations; 
  • inform you of the resolution of the vulnerability;
  • to naming you, if you wish, as the discoverer of the vulnerability in communications; 
  • an appropriate reward, according to the severity of the vulnerability and the quality of the research (if there is no vulnerability or risk, or this has already been reported, no reward will be awarded) and
  • to strive to resolve the vulnerability quickly within 60 days and involve you in communicating this.