Coordinated Vulnerability Disclosure (CVD)

The LUMC works hard to maintain and improve secure ICT systems. However, vulnerabilities (weak spots) may still exist. If you discover a vulnerability in one of our ICT systems, please report it to us so we can take timely measures. This Coordinated Vulnerability Disclosure (CVD) explains how we handle your report.

Do not actively scan the network

This CVD policy is not an invitation to extensively and actively scan the LUMC corporate network for vulnerabilities. Such a scan is likely to be detected by us; we continuously monitor our network. Our CERT (Computer Emergency Response Team, a specialized team of ICT professionals) may then investigate and incur unnecessary costs.

Reporting a vulnerability

How can we ensure the security of LUMC's ICT systems together?

We ask you to:

  • Email your findings as soon as possible to CERT@lumc.nl. Encrypt your findings with our PGP key to prevent the information from falling into the wrong hands. The fingerprint of the PGP key is: 67C2EDD36F590362D2080A4E82A67FD39D3FFEAF
  • Not misuse vulnerabilities. For example, by downloading more data than necessary to demonstrate the vulnerability.
  • Not view, delete, or modify third-party data. We also ask you to be extra cautious with personal data.
  • Not share vulnerabilities with others until they are resolved. We also ask you to delete all confidential data obtained through vulnerabilities as soon as possible.
  • Not use physical security attacks, third-party applications, social engineering, distributed denial-of-service, or spam.
  • Provide sufficient information to reproduce the vulnerability so we can resolve it quickly. Usually, an IP address or URL of the affected system and a description of the vulnerability is sufficient. More information may be needed for complex vulnerabilities.

How can we ensure the security of LUMC's ICT systems together?

We ask you to:

  • Email your findings as soon as possible to CERT@lumc.nl. Encrypt your findings with our PGP key to prevent the information from falling into the wrong hands. The fingerprint of the PGP key is: 67C2EDD36F590362D2080A4E82A67FD39D3FFEAF
  • Not misuse vulnerabilities. For example, by downloading more data than necessary to demonstrate the vulnerability.
  • Not view, delete, or modify third-party data. We also ask you to be extra cautious with personal data.
  • Not share vulnerabilities with others until they are resolved. We also ask you to delete all confidential data obtained through vulnerabilities as soon as possible.
  • Not use physical security attacks, third-party applications, social engineering, distributed denial-of-service, or spam.
  • Provide sufficient information to reproduce the vulnerability so we can resolve it quickly. Usually, an IP address or URL of the affected system and a description of the vulnerability is sufficient. More information may be needed for complex vulnerabilities.

We promise you that we will:

  • Try to resolve the vulnerability as quickly as possible.
  • Not take legal action against you regarding the report if you comply with the above requests. The Public Prosecution Service decides on any criminal prosecution.
  • Respond to your report within 5 working days with our assessment and any expected resolution time.
  • Treat your report confidentially and not share your personal data with third parties without your permission, unless necessary to comply with a legal obligation.
  • Keep you informed of the progress of resolving the issue.
  • Mention your name as the discoverer of the vulnerability in any communication about it, if desired. You will also receive an honorable mention if desired.

You can also report a vulnerability anonymously or under a pseudonym. In that case, we cannot contact you about follow-up steps, progress, or possible publication of the vulnerability.

Not a vulnerability

What we do not consider a vulnerability:

  • Intentional directory content listings for research or publication purposes
  • SPF, DKIM, DMARC issues
  • Missing secure or HTTP-only flags
  • Reporting outdated software or upgrade possibilities without associated exploit and proof of concept
  • Missing DNSSEC information
  • PHP accessibility
  • Clickjacking (or framing)

This is not an exhaustive list; our systems are regularly tested for vulnerabilities. Security issues identified through these tests are considered known problems.

Honorable Mentions

Does your report deserve an honorable mention according to LUMC? With your permission, we will list your name in the 'Hall of Fame' below.
The LUMC thanks the following individuals for reporting their findings about our systems. Thanks to their efforts, the security is at the appropriate level.

  • Divya Chaudhari | 2024 
  • Shazil Rao | 2024
  • Adrian Tirado Garcia | 2024
  • Shivam Dhingra | 2024
  • Parth Narula | 2024
  • Prathamesh Patil | 2024
  • Gaurang Maheta | 2024
  • Vijay Sutar | 2024
  • Teun van der Ploeg | 2023
  • Mr!dul Vohra | 2022
  • Gowthamaraj Rajendran | 2022
  • Abhay Vishwakarma | 2022
  • Ramon Dunker | 2022
  • Lakshit Sharm | 2022
  • Sadekh Shaikh | 2022
  • Hatim chabik | 2021
  • Kommalapati Manohar | 2021
  • Parth Manek | 2021
  • Ashutosh Rimal | 2021
  • Vedant Shinde | 2021
  • Pankaj Lakshkar | 2021
  • Michele Corrias | 2021
  • Nitesh Singh | 2021
  • Parth Surati | 2021
  • Shreya Achrya | 2021
  • Sheikh rishad | 2021
  • Gaurang Maheta | 2021
  • Jai Kumar | 2021
  • Irshad Mohammed | 2021
  • Rifat Khan | 2021
  • Harinder Singh | 2021
  • Sock Puppets | 2021