Responsible disclosure Studielink

At Studielink, we consider the security of our systems, i.e. the applications with the underlying infrastructure, to be very important. In spite of the attention that we give to the security of our systems, it is nevertheless possible that a weak link can occur.

 

 If you have detected a weak link in one of our systems, then please inform us so that we can take measures as soon as possible. We would like to work together with you so that we can protect our users and our systems better. 

 

What we ask of you:

  • Mail your findings to security@studielink.nl. If you wish to only send your report encrypted, please inform us at the aforementioned e-mail address. We will then give you instructions on how to send the information encrypted. 

 

PLEASE NOTE! This e-mail address is only intended for reporting weak links in our security measures. All general questions and comments regarding the use of Studielink will NOT be answered via this e-mail address but should be addressed to the institution where you are studying or will be studying. You can also make use of the Studielink Q&A. 

 

  • Do not make misuse of the problem by, for example, downloading more data than necessary to demonstrate the security leak or to view, remove or alter the data of third parties.
  • Do not share the problem with others until it has been solved and immediately delete all confidential data obtained through the security leak as soon as this leak has been repaired.
  • Do not make use of attacks on physical security, social engineering, distributed denial of service, spam or third party applications.
  • Provide sufficient information to reproduce the problem so that we can solve the problem as quickly as possible. The IP address or the URL of the affected system and a description of the weak link is usually sufficient; however, in the event of more complex weak links, more information could be necessary. 

 

What we promise to you: 

  • We will respond to your report as soon as possible, but within a maximum of 14 days, with our assessment of the report and an expected date for a solution.
  • If you have adhered to the above conditions, we will not take any legal action against you in connection with the report.
  • We will treat your report confidentially and we will not share your personal details with third parties without your permission unless this is necessary to comply with a legal obligation. A report can be made under a pseudonym.
  • In announcements regarding the reported problem, we will state your name as the person who detected the problem if you wish.
  • As a thank you for your help, we offer a reward for every report of a security problem not yet known to us. We will determine the size of the reward, in the form of a gift voucher, based on the seriousness of the security leak and the quality of the report.

 

We aim to solve all problems as quickly as possible and we would like to be involved in any publication regarding the problem after it has been solved. 
 
With thanks to Floor Terra for his example text on http://responsibledisclosure.nl/