How can you report such a vulnerability?
You can send a CVD report per e-mail to CVD@vangoghmuseum.nl.
In order for us to quickly reproduce and resolve the vulnerability, we ask that you use the information listed below to make your e-mail as complete and detailed as possible.
- the IP address, URL and/or name of the system affected;
- the vulnerability type;
- a description of the vulnerability;
- a step-by-step explanation of the vulnerability;
- explain why the vulnerability found is worth reporting;
- is there a chance of the vulnerability being actively exploited?;
- what risk or damage does the vulnerability open the Van Gogh Museum up to?;
- please add an attachment if possible.
For more complex vulnerabilities, further details may be required. In that case, we will get in touch with you by using the e-mail address you sent your CVD report from. If you prefer us to contact you by phone, please provide us with a telephone number on which you can be contacted.
- you submit your report as quickly as possible after discovering the vulnerability;
- you do not share information about the security problem with others until you hear from us or until it has been resolved;
- you handle knowledge about the security problem responsibly by not taking any action other than that needed to demonstrate the security problem.
Always avoid the following actions:
- installing malware;
- copying, changing or deleting data in the system. An alternative is creating a directory listing of the system;
- making changes to the system;
- repeatedly gaining access to the system or sharing access with others;
- using 'brute force' to gain access to the system;
- using 'Denial of Service' or 'social engineering'.
- If you submit a report in accordance with the procedure, we have no reason to take legal action as a result of your report. We will handle your report confidentially and will not share personal details with third parties without your consent, unless obliged to do so pursuant to a statutory provision or a legal ruling.
- We intend to send you an acknowledgement of receipt within two working days.
- We intend to respond to a report within two weeks with an assessment of the report. If possible, we will keep you, the reporting party, informed about the progress in resolving the problem.
- The Van Gogh Museum provides a Van Gogh Museum mug as thanks for your assistance in keeping our systems secure. Please note that to be eligible for the mug your CVD report must relate to a serious security problem of which the Van Gogh Museum is not yet aware.
Providing your name and address information is optional. If you are eligible for the mug and wish to receive it, we will need your name and address for shipping. Your data will not be shared with third
parties and will only be saved until the report has been processed. More information about how the Van Gogh Museum handles personal data can be found in our privacy statement.