Publication date 21-11-2018 | 16:13 Modification date 30-04-2026 | 14:29

You can report a vulnerability in an RIVM ICT system to the National Cyber Security Centre (NCSC). You can do this by emailing security@ncsc.nl or by using the NCSC’s CVD form. Always report the vulnerability to the NCSC first before disclosing it publicly so the RIVM can take appropriate measures.

What is a Coordinated Vulnerability Disclosure ?

A CVD means someone reports a discovered security issue confidentially to the organization that can fix it. This allows measures to be taken before the vulnerability is made public. 

The CVD policy also protects the reporter of the vulnerability. If a report meets the stated conditions, no legal consequences will be attached to the report. 

Information required for a CVD report is included by default in the website’s security.txt file

What to consider when making a CVD

 If you report a vulnerability in our ICT system, please note the following: 

  • Follow the NCSC’s CVD-policy
  • Report the vulnerability as soon as possible after discovery. 
  • Do not share the information with others until the problem is resolved.
  • Keep the report confidential and do not make it public, including via media or other channels, until the RIVM or NCSC gives permission. 

Do not exploit a weakness in our ICT system 

If you discover a vulnerability, do not exploit it. Examples of prohibited actions include: 

  • Installing malware 
  • Copying, altering, or deleting data 
  • Making changes to the system 
  • Repeatedly gaining access or sharing access with others 
  • Using brute force methods 
  • Using denial-of-service or social engineering techniques 
  • Installing your own backdoor in a system to demonstrate the vulnerability 
  • Further exploiting a vulnerability beyond what is strictly necessary 

What we do after a Coordinated Vulnerability Disclosure 

Your report to the NCSC will be processed by the NCSC, which decides whether to forward the report to the RIVM if further action is required. Communication about the report will continue via the NCSC. 

With your report we can help prevent important information from falling into the wrong hands or being used for fraudulent or criminal acts. 

We treat your report confidentially. We do not share personal data with third parties without your consent, unless required by law. 

Coordinated Vulnerability Disclosure policy 

This CVD guideline was drafted using the National Government’s Coordinated Vulnerability Disclosure Policy