Policy for responsible disclosure CityGIS B.V. Version: 01-2024
7 May 2025 by Remy Raaphorst
Principles
We consider the security of our systems to be a top priority, but no matter how much effort we put into system security, vulnerabilities may still be present.
If you discover a vulnerability, we would like to know about it so that we can take measures to fix it as quickly as possible. We want to ask you to help us to protect our customers and your systems better.
Please do the following:
- E-mail your findings to info@citygis.nl
- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than is necessary to demonstrate the vulnerability or by deleting or modifying data of others;
- Don’t tell the problem to others until it’s fixed;
- Do not attack physical security, using social engineering, distributed denial of service, spam, or third-party applications; and
- Please provide enough information to reproduce the issue so that we can resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability are sufficient, but complex vulnerabilities may require more explanation.
What we promise:
- We will respond to your report within 3 working days with our evaluation of the report and an expected date for resolution;
- Unfortunately, it is not possible to rule out legal action against you in advance. We want to be able to weigh up each situation separately. We consider ourselves morally obliged to report the crime when we suspect that the weakness or data being abused, or that you have shared knowledge about the weakness with others. You can count on it that an accidental discovery will not lead to a report in our online environment;
- We will treat your report in strict confidence and will not pass on your personal data to third parties without your permission;
- We will keep you informed of the progress in resolving the problem;
- If the information about the reported problem is published, we will mention your name as the discoverer of the problem (unless you wish otherwise).
We strive to solve all problems as quickly as possible.