CSO Vulnerability Handling and Responsible Disclosure Process
Do you have the skills and did you discover any vulnerabilities in our systems? If so, help us by reporting these vulnerabilities. So that we can improve the cybersecurity of our systems together.
What to report?
Vulnerabilities with regard to the cybersecurity of the Cybersecurity Observatory’s services offered through the internet. In case you have discovered a vulnerability in our system, please report this as quickly as possible.
Examples of vulnerabilities could be:
- Cross scripting (XSS) vulnerabilities
- SQL injection vulnerabilities
- Encryption vulnerabilities
How can a vulnerability be reported?
A vulnerability should be reported by sending an e-mail at the following address:
Please ensure that your e-mail is written in a clear and succinctly way. Particularly include the following in your e-mail:
- The steps you undertook
- The entire URL
- Objects (as filters or entry fields) possibly involved
- Screen prints are welcome
- Our specialists will read your report and start working on it right away. Did you find a vulnerability in one of our IT-systems. Please contact us directly and do not postpone.
Am I eligible for a reward after my finding?
The Cybersecurity Observatory team highly appreciates your effort by assisting us in optimizing our systems and processes. In case your reported vulnerabilities have been solved or led to a change in our services, you will be properly recognized in our Responsible Disclosure – Hall of Thanks.
Can I report a vulnerability anonymously?
Sure, you do not have to provide your name and contact details in case you want to report a vulnerability. However, you should take into account that we are unable to discuss the next steps with you. For instance, we cannot inform you about what we will do with your discovered vulnerability, neither we can collaborate further, nor we can provide you with the appropriate credits or reward in return for your finding.
Your personal information is only used to approach you and undertake actions with regard to your reported vulnerability.
What will we do with your finding?
A team of security experts will investigate your finding. Within three working days you will be receiving an e-mail with a first reply. Note: revealing your finding to the public is not allowed, instead talk to our experts and give them time to assess and solve the problem. Accordingly, we will provide you with feedback with regard to your finding. We will explain to you whether we will solve the problem, how we will solve it and when.
By investigating our IT systems, it might be that you act prosecutable. In case you act with good faith, act in accordance to the mentioned rules of the Cybersecurity Observatory, there will not be any inducement to report your action. Therefore, follow the rules of the responsible disclosure.
- Ensure that during your and our investigation of your reported vulnerably, you do not apply any damage.
- Do not utilize social engineering in order to gain access to our IT-systems.
- Never can your investigation disrupt our (online) services.
- Never can your investigation lead to the publicity of the Cybersecurity Observatory or its customer’s data.
- Do not put a backdoor in the system. Neither with the purpose to show the vulnerability. Putting a backdoor will bring damage to the safety of the system even more.
- Do not apply any changes or delete data in the system. In case your finding requires a copy of the data from the system, do not copy more than your investigation requires. If one record is sufficient, do not copy more.
- Do not make any changes in the system.
- Do not attempt to penetrate the system more than required. In case you successfully penetrated the system, do not share gained access with others.
- Do not utilize any brute force-technics (e.g. repeatedly entering passwords) in order to gain access to the system.
- Don’t use techniques that can influence the availability of our (online) services.
- We can only process reported vulnerabilities that are reported in English.
- In case you are eligible to be recognized in our Hall of Thanks (HoT), we require your personal information.
- In case your reported vulnerability is reported by others as well, the reward will be granted to the first reporter.
Responsible Disclosure regulation
With regard to reporting vulnerabilities in IT-systems, this Responsible Disclosure program is subject to the jurisdiction of Spain.
We advise you to take into account that regulations with regard to the Responsible Disclosure differ per country. In case you are living abroad and have found vulnerabilities in one of our Cybersecurity Observatory pages, please realize that the Responsible Disclosure policy is not applicable in every country.