Security internet services

Report vulnerabilities in our internet services

Unfortunately, somethings things can go wrong or we overlook something.

Have you discovered a vulnerability in our internet services? Let us know! Then we can take immediate action.

What can you report?

You can report vulnerabilities in our internet services.

Examples of this are:

• Cross-Site Scripting (XSS) vulnerabilities
• SQL injection vulnerabilities
• weaknesses in the setup of the secure connection

Have you found a vulnerability? Then we urgently ask you to report the problem found to us and to explain it as clearly and completely as possible.

How can you report this?

You can report a discovered vulnerability in our internet services by e-mail to security@onvz.nl.

Important to know:

• we ask that you only share the problem with ONVZ experts and do not make the problem public or share it with third parties. This is how we keep our customers' data safe
• in your investigation of the found vulnerability, you must not damage our programs
• our services may also never be interrupted by your research
• perhaps you are doing something in your research that is not allowed by law. If you have acted in good faith, carefully and in accordance with the following rules, we will not file a report

Which rules do we use?

If you are investigating vulnerabilities in our internet services, please do so in accordance with the following rules:

• do not use social engineering to access our systems
• do not put a backdoor in an information system to expose the weak spot
• only do what is strictly necessary to demonstrate a vulnerability
• do not copy, modify or delete any data. Only send us the (minimum) information you need to demonstrate the problem. For example, make a directory listing or screenshot
• limit your attempts to access the system as much as possible
• do not share information about the access you have been given with others
• do not use so-called brute force attacks to get into our systems

What do we do with your report?

• You will hear what we do with your report within 3 working days
• Is it a serious security problem that we were not aware of? Then you will receive a suitable reward from us as a thank you
• We only use your contact details to communicate with you about the report. We do not share it with others, unless we are legally obliged to do so - for example, if the ministry of justice asks us to do so. Or if we regard your action as a criminal offense (i.e. you have not acted in good faith) and we report this to the police

If you make your report anonymously, we will unfortunately not be able to keep you informed. We will also not be able to give you a reward.

Report fake email

ONVZ can send you e-mails with an iDEAL link, for example for paying your premium and excess. We want to make it as easy as possible for you to pay your bills. Are you unsure whether such an e-mail comes from ONVZ? Check whether the bill matches the information you find in MijnONVZ or the ONVZ app. If you want, you can also pay your bill there directly with iDEAL.

Does the email you received on behalf of ONVZ not match the information in MijnONVZ or the ONVZ app? Then it could be a phishing email. In that case, do not click on any links in the e-mail, but forward the e-mail to valse-email@onvz.nl. So that we can analyze the mail and warn other customers where necessary.

If we receive many messages at the same time, you may not receive a response from us. Your mail will be picked up. Because fake email reports do not reveal vulnerabilities in our internet services, no reward is provided for this.

National Cyber Security Centre

This coordinated vulnerability disclosure regulation is based on the NCSC's coordinated vulnerability disclosure guideline. See also the NCSC website: www.ncsc.nl.