Responsible disclosure policy
Avans University of Applied Sciences greatly values the security of your and our data. That is why we protect our systems. Despite all our efforts to secure our systems, vulnerabilities in our security may have come about. If you notice such a vulnerability in an Avans system, we would like to work with you to resolve this situation as soon as possible. We therefore ask you to share this information with us.
To prevent misuse of such potential data leaks, we request that you to adhere to these guidelines:
- Report the problem by sending an e-mail to ict-security.DIF@avans.nl.*
- Do not actively exploit the vulnerability, download data or investigate the problem further.
- Do not share information about this vulnerability with others until it has been rectified. Do not share this information with others within 3 months of your report.
- Provide sufficient information, such as an IP address, URL and description. This will ensure we can reproduce the problem and solve it as quickly as possible.
- After Avans has been able to reproduce the problem you reported, make sure you delete any sensitive information obtained through the vulnerability.
- Do not use methods that attack physical security or people (social engineering). Do not use distributed denial of service attacks, spam or third-party applications.
If you adhere to the above guidelines, we commit to:
- contacting you within 5 working days and specifying an estimated period to fix the vulnerability
- refraining from taking legal action against you regarding the reporting of improper access to a system or data
- treating your report confidentially and refraining from sharing your personal data with third parties without your permission, unless there is a legal obligation to do so
- keeping you informed on the progress of the solution to the problem
- acknowledging you as the person who identified the vulnerability in any communications about it, if you so wish.
We aim to resolve any identified vulnerabilities in our security as soon as possible. Normally, Avans does not share data regarding discovered vulnerabilities with third parties or in public. We only share such data, for example with suppliers, if it is necessary to solve the problem. In exceptional cases, Avans may choose to disclose the discovered problem. In the latter case, we can acknowledge you as the person who discovered the problem if you wish.
* You can also submit a report anonymously or under a pseudonym. If you wish to send an encrypted file, please use the public pgp-key.