Responsible disclosure

Version 1.0 (01-01-2024)

Our dependence on digital infrastructure and data has only grown with time. This is true of society as a whole, and it is the case for us as well. We believe that governments and organizations (including the Church of Cyberology) should therefore focus strongly on the security of digital infrastructure.

Despite our best intentions and vigilance, we are aware of the possibility of a vulnerability in the security of our systems. If you discover a weakness in any of our systems, whether you stumbled on the weakness accidentally or while using a more targeted effort, please let us know. This will enable us to rectify the problem.

We would like to work with you to better protect our members, our users and our systems.

What do we ask of you

• If you are investigating a vulnerability in one of our systems, keep in mind the proportionality of the attack. You do not have to demonstrate that if you launch the largest DDoS attack in the history of the internet on our systems, we will be down for a while. We know that. This proportionality also applies to demonstrating the vulnerability itself. Do not examine or change more data than is strictly necessary to demonstrate the vulnerability. For example, if you change our front page, add a non-controversial word somewhere, rather than modifying the entire page. If you access a database, a list of the tables or the first line from one of the tables will suffice.
• Do not abuse the vulnerability by downloading, changing or deleting data, for example. We will always take your report seriously and will investigate any suspected vulnerability, even without “proof”.
• Delete any confidential data obtained during your investigation right after we have fixed the vulnerability.
• Do not share information about the vulnerability with others until it is resolved.
• Do not use physical security attacks, phising or social engineering.
• Please provide us with sufficient information to reproduce the problem so we can fix it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability will suffice, but more may be required with more complex vulnerabilities.

What we promise

• We will respond in substance to your report within one week and provide an estimate of how long it will take to resolve the problem. Of course, we will continue to provide you with regular updates on our progress in resolving the issue.
• We will fix the vulnerability as quickly as possible. Again, proportionality is important: the time frame for resolving a vulnerability depends on several factors, including the severity and complexity of the vulnerability.
• We will treat your report confidentially and will not share your personal data with third parties without your consent. An exception to this is if a report needs to be filed to the police or judicial authorities or if they request data.
• We can guarantee that an accidental discovery or discovery by a proportional targeted effort will not result in a report or legal action.
• If you find a vulnerability in the software that we use, but which was made by a third party, and that vulnerability is covered by a bug bounty program, then any reward will obviously be yours.

We aim to resolve all issues as quickly as possible, keep all parties informed and we are keen to be involved in any publication about the issue once is has been resolved.

Please report a vulnerability in one of our systems as soon as possible by sending an email to security@cyberology.nl. Preferably send the report encrypted using PGP.