Found something? Let us know
Have you discovered a vulnerability in one of our systems? We kindly ask you to report it to us so we can take appropriate actions quickly. We would like to work with you, for a better protection of our students, staff and systems.
We ask you to:
- Send your findings to safe [at] rocmn.nl.
- Report the vulnerability to us as soon as possible after discovering it.
- Not share the vulnerability with others until the vulnerability has been resolved, and delete all information obtained through the leak immediately after it has been fixed.
- Provide us with sufficient information so that we can identify and resolve the issue quickly. In most cases, the IP address or URL of the affected system and a description of the vulnerability are sufficient, though more details may be required for complex vulnerabilities.
- Not abuse the vulnerability - for example, by downloading more data than necessary to demonstrate the issue, or by accessing, deleting, or modifying information belonging to students, teachers, or staff.
- Not use methods such as physical security breaches, social engineering, DDoS attacks, spam, or third-party applications.
We promise that:
- You will hear from us within 3 days regarding how we plan to address the vulnerability and when we expect to resolve it.
- If you report the vulnerability responsibly and followed the steps above, we will not take legal action.
- We will treat your report confidentially, and your personal data will not be shared with third parties without your consent, unless legally required.
- If you have reported the vulnerability according to the steps above, we may offer a reward for your investigation. However, we are not obliged to do so. You are therefore not automatically entitled to compensation. The form of the reward is not predetermined and will be decided on a case-by-case basis. Submissions will be evaluated based on the diligence of your research, the quality and clarity of your report, and the severity of the identified vulnerability.
- We will keep you informed about the progress of resolving the vulnerability.
- In any public communication about the reported issue, we will credit you as the discoverer if you wish. We strive to resolve all issues as quickly as possible.
Hall of Fame
ROC Midden Nederland would like to thank the following individuals for sharing their responsible disclosures:
| Melder | Totaal | 2021 | 2022 | 2023 | 2024 |
|---|---|---|---|---|---|
| Gaurang Maheta | 5 | 3 | 2 | ||
| Mohamed Althaf | 1 | 1 | |||
| Kinshuk Kumar | 1 | 1 | |||
| Keyur Maheta | 1 | 1 | |||
| Ori Levi | 1 | 1 | |||
| Nikhil Rane | 1 | 1 | |||
| Aakash Tayal | 1 | 1 | |||
| Pushpraj Patil | 1 | 1 | |||
| Floris van Trier | 1 | 1 | |||
| Daan Doornink | 2 | 2 | |||
| Diederick Aangeenbrug | 1 | 1 | |||
| Mayank Mukhi | 1 | 1 |
Please note: Our Responsible Disclosure policy is not an invitation to extensively scan our network for vulnerabilities. There is a possibility that your research may involve actions that are considered illegal. The fact that ROC Midden Nederland will not file a police report against you does not exclude the possibility of a criminal investigation into your actions, nor does it prevent a potential criminal conviction.