Reporting weaknesses in our IT systems

Have you found a weakness in an IT system? Please report it by emailing responsible.disclosure@icscards.nl.

Make sure to include the following information in your report:

• A clear description of the weakness.
• What is affected by this weakness. For example, the product, website, API endpoint, IP address or web page (URL, version or environment).
• Step-by-step instructions on how to identify the issue. If you have proof-of-concept code or screenshots, please include them.
• The impact you believe this issue has.
• Relevant log files, request or response examples, or configuration notes. Please remove sensitive data where possible.

Please do not send exploit code that actively causes damage or collects too much data.

When to not use the responsible disclosure email address

Please do not use the responsible disclosure email address for:

• Reporting fraud or suspected fraud
• Reporting scam or phishing emails
• Reporting viruses
• Submitting complaints about ICS services or products
• Questions or complaints about the availability of the website, our app or Mijn ICS

This is what we will do after you submit your report:

1. We will send you confirmation that we have received your report within 5 working days
2. We will assess the reported vulnerability
3. We will keep you informed about the progress and the expected timeline of our solution

Your report will remain confidential. We only collect the personal data we need to process your report. We do not share your personal data with third parties, unless we are legally required to do so. For example, if there is suspicion of abuse or criminal activity. We will not take legal action against you if you comply with our policy and act in good faith.

We will only use your personal data to take action in response to your report. As a general rule, we do not share your personal data with others without your consent.

During your investigation, you might act in a way that is punishable by law. If you follow our rules for reporting weaknesses in our IT systems, we will not file a report with the authorities or submit a claim for damages.

It is important for you to know that the public prosecutor is the one who in the end will decide if you will be prosecuted. This decision does not depend on us, whether or not we file a report. This means that we cannot guarantee that you will never be prosecuted if you commit criminal acts during your research.

The National Cyber Security Centre of the Ministry of Justice and Security has created guidelines for reporting weaknesses in IT systems. Our rules are based on these guidelines.

We ask you to be responsible and act as carefully and cautiously as you can. During your research, only use the necessary methods or techniques to find or show weaknesses.

• Protect your own systems as well as possible.
• Do not use the weaknesses you discovered for anything other than your own research.
• Do not use social engineering to get into a system.
• Do not place backdoors in any system, even to show a weakness. Backdoors make systems less safe.
• Do not change or delete data in systems. If you need to copy data for your research, never copy more than you need. If one record is enough, do not go any further.
• Do not make changes to systems.
• Do not try to access systems more often than necessary. If you are able to get in, do not share that access with others.
• Do not use brute-force techniques, such as repeatedly trying passwords, to access systems.

Yes, this is possible. We may give you a reward for your research. However, we are not required to do so. This means that you do not automatically have the right to a reward. There is also no standard amount that we give as a reward. We decide on a reward for each case separately. Whether we give you a reward and the amount we choose to give depends on factors such as:

• The care you took during your research
• The quality of your report
• The amount of potential damage that was prevented because of your report

Never share your research or weaknesses in our IT systems without discussing it with us first. This helps us prevent criminals from misusing your information. Discuss your findings with our security experts and give us time to resolve the issue.

Please do not use the responsible.disclosure@icscards.nl email address for:

• Reporting fraud or suspected fraud
• Reporting scam or phishing emails
• Reporting viruses
• Submitting complaints about ICS services or products
• Questions or complaints about the availability of the website, our app or Mijn Card Online.

Do you have questions or complaints like this? Or do you want to make a report that is not related to an IT weakness? Please contact us.

• Submit a complaint (Dutch only)
• Report fraud (Dutch only)

Yes. You do not have to share your name or contact details when submitting a report. Please note that in this case we cannot consult with you about the next steps. For example, about what we do with your report, further cooperation, credits such as name recognition, or a possible reward.