Information Security Responsible Disclosure Policy

Purpose

Nivel (Netherlands Institute for Health Services Research) is committed to ensuring the security of our systems and protecting our users’ data. Our Privacy Statement can be found at https://www.nivel.nl/en/privacy-statement.

Despite the considerable attention we devote to our technologies, vulnerabilities may still occur. If you discover any vulnerabilities relating to IT systems and web applications at Nivel, please let us know. We will take immediate action to rectify the weakness identified as quickly as possible. We value the input of security researchers and encourage the responsible disclosure of any vulnerabilities you may discover.

Reporting a vulnerability

To report a vulnerability:

• E-mail our security team at security@nivel.nl with all relevant information about the issue.
• Notify us of the time, place and manner in which the vulnerability or problem occurs. Provide sufficient details to reproduce the vulnerability. Do not, however, exfiltrate data in order to provide us with samples.
• Provide your contact details (e-mail) in case we have any queries.
• Allow us a reasonable amount of time to investigate and address the issue before any public disclosure.

How Nivel handles reported vulnerabilities

We will send you an acknowledgement to confirm receipt of your notification.

We will validate your report on the vulnerability described and will take immediate action to address it as swiftly as possible (ideally within 10 business days).

We will treat your report confidentially and will not disclose your personal data to third parties without your consent.

We will inform you promptly about the results of our analysis and any action taken.

We will not pursue legal action against security researchers who comply with this policy.

We will recognize your contribution if you wish, once the vulnerability has been resolved.

Requests for Security Researchers

Use your knowledge of the vulnerability responsibly and do not pass on any information about the vulnerability to third parties or institutions unless this has been expressly authorised by Nivel.

Do not exploit a vulnerability for the purpose of finding other vulnerabilities or, for example, by downloading, modifying or deleting data or uploading code.

Do not carry out attacks in an attempt to compromise, change or manipulate our IT systems, infrastructure or people.

Do not perform any social engineering (e.g. phishing), (distributed) denial of service, spam or other attacks on the IT facilities of Nivel.

Version 1.0
Author: IT manager
Approved by the Nivel Executive Board on 10 October 2024