Reporting a vulnerability (weak spot)
General
If you think you've found a weak spot in the council's digital services (a 'security breach'), or you can see confidential information, such as personal data (a 'data breach'), the council would like to work with you to resolve the situation as quickly as possible. Report the security breach or data breach to the council.
Breda council finds the security of data and communication technology to be important. Although it pays close attention to this, a weak spot can still be present. The council wants to fix a breach as quickly as possible. Please send it all the information you have.
What do you need to know?
The council asks you to:
- Report your findings as soon as possible.
- Provide enough information for the council to reproduce the problem, helping it to fix this problem as quickly as possible. Usually, the IP address, or the link (URL) of the affected system and a description of the vulnerability are enough. But more information may be needed if the vulnerability is complex.
- Leave your contact details so the council can contact you. This way we can work together to fix the problem. You can also report the problem anonymously, but then the council can't update you or reach agreements about the resolution.
- Do not share your findings or sensitive information with other people until the problem has been resolved.
- Handle your knowledge of the security problem responsibly, by (for example):
- Not retrieving more data than needed to show the vulnerability
- Not viewing, deleting or changing any data
- Not sharing access with other people
- Not placing your own 'back door' in the system
- Delete all data you have obtained through the security problem as soon as possible.
- Do not carry out any attacks in relation to: physical security, social engineering, installing malware, distributed denial of service, spam, third-party applications, etc.
What will the council do?
- The council will respond to your report within 5 working days, with an assessment and the expected resolution date.
- The council will not take legal action against you if you comply with the terms and conditions.
- The council will treat your report confidentially and will not share your personal data with third parties without your consent, unless required to do so by law or a court order. You can report the vulnerability under a pseudonym if you prefer.
- The council will keep you informed about the progress in resolving the vulnerability.
More information
Breda council aims to resolve all vulnerabilities as quickly as possible. Once the vulnerability has been resolved and you wish to publish information about it, please involve the council with this publication beforehand.