Coordinated Vulnerability Disclosure

Are you reporting a vulnerability in one of the systems of Belastingdienst, Customs or Toeslagen? Please do so before you share it with others. This will allow us to take measures first. This is referred to as 'Coordinated Vulnerability Disclosure' (CVD).

Points to consider when reporting a vulnerability (CVD)

We ask you:

  • to inform us of the vulnerability immediately after discovering it.
  • to send us your findings by e-mail: cvd@belastingdienst.nl, cvd@douane.nl of cvd@toeslagen.nl (use for this type of report only)
    If possible, encrypt your findings with our PGP-key (KeyID: 6456 0D9D, Fingerprint: 5249 2678 B375 E9AA E797 F89A 49CC D9CD 6456 0D9D) to prevent information from falling into the wrong hands.
  • provide sufficient information to be able to reproduce the problem, so that we can rectify this as quickly as possible.
    In most cases, the IP address or the URL of the system affected and a description of the vulnerability are sufficient, but more information may be required for more complex vulnerabilities.
  • leave your contact details so that our Security Operations Centre can contact you in order to jointly find a safe solution.
    Leave at least an e-mail address or telephone number.
  • do not share the information regarding the security problem with other people until we have solved it.
  • handle the information regarding the security problem responsibly by not performing any actions that go further than necessary to demonstrate the security problem.
  • realize that any information in our systems falls under the (fiscal) duty of confidentiality and that further dissemination of the said information is a punishable offence.

In all events, avoid the following:

  • installing malware
  • copying, changing or deleting information or configurations of a system (or alternatively making a directory listing or a screenshot)
  • using so-called 'brute force' to gain access to systems
  • using denial-of-service attacks or social engineering

You can expect the following from us:

  • If your report satisfies the aforementioned conditions, we will not attach any legal consequences to this report. We will deal with your report strictly confidentially and will not share any of your personal details with third parties without first obtaining your permission, unless this is mandatory by virtue of the law or a court decision
  • We will send you a confirmation of receipt within 1 working day
  • We will respond to your report with our opinion and an expected solution date within 5 working days
  • We will keep you informed about the progress made. We will rectify the security problem you detected in our system within a reasonable period of time. In mutual consultation, we will determine when and in what way this will be published
  • If you desire, we can name you as the discoverer of the reported vulnerability
  • And as thanks for your help, we offer a playful reward for each report of a serious security problem of which we are unaware. However, this reward will never be a cash reward.

This text was compiled as a supplement to 'Coordinated Vulnerability Disclosure: the Guideline' of National Cyber Security Centre (NCSC).

A valuable report deserves a reward

Is the vulnerability still unknown in our opinion and does it constitute a serious security problem? Then we will give you a reward (swag).

Examples of cup-worthy reports:

  • Cross-Site Scripting vulnerabilities (except self-XSS)
  • SQLi and command injections
  • Authentication Bypass, Unauthorized data access
  • Server-Side Request Forgery
  • Access to PII data
  • Authentication vulnerabilities
  • Directory Traversal
  • Credential leaks
  • Username enumeration without using brute-force methods

Examples of thank-you-letter-worthy notifications:

  • HTTP Host Header Injection
  • CSRF
  • SPF / DKIM errors

Out-of-scope:

  • Self-XSS
  • Social Engineering
  • Denial of Service
  • Attacks on physical property of the tax authorities
  • Username enumeration by using brute-force methods
  • Vulnerabilities using stolen credentials
  • Vulnerabilities that only apply to outdated software / browsers
  • Man-in-the-middle
  • Scanner outputs or scanner reports without a proof of concept showing that vulnerabilities can be exploited

All reports are checked by our team and it is possible that the final reward (swag) deviates from the examples mentioned. If you have a report that is not listed here, it is always welcome and our team will check to what extent your report is handled.

Hall of Fame

In the event you submit a report that we judge to be worth a trophy or a letter of thanks, you will also get a place in our 'Hall of Fame'. Of course, we will ask you first if that is something you want.

Go to 'Hall of Fame – CVD the Netherlands Tax Administration' to see who has already been awarded.

More information

  • You can read more information about the provision of secure internet services for citizens, residents and SMEs in the Netherlands on the Digital Trust Center website.
  • Also see Nationaal Cyber Security Centrum (National Cyber Security Centre, NCSC)' operated by the Ministerie van Justitie en Veiligheid (Ministry of Justice and Security) for more information about a cyber secure Netherlands.

Javascript is disabled in this web browser. You must activate Javascript in order to view this website.