Ga naar inhoud

Report a vulnerability

If you discover a weak spot or vulnerability on this website, please report this to Univé. Making such a report is called Coordinated Vulnerability Disclosure (CVD). Also known as Responsible Disclosure.

The data of Univé's customers is important

That is why a lot of care is taken to protect this customer data. However, it is possible that a weak spot is discovered. This can be by accident during normal use of the digital environment or by searching for it in a targeted manner.

You can help us

By working together to better protect our customers and our systems. Do you discover a weak spot? Then report it to Univé as soon as possible. In this way, Univé can take measures quickly.

You can report a vulnerability by:

  • Email your findings as soon as possible to security@unive.nl;
  • Not to share the report/vulnerability with others to prevent others from also accessing this information;
  • Provide enough information so that we can mimic the problem. This way we can solve it as quickly as possible. The IP address or web address of the affected system and a description of the vulnerability is often enough. Complex problems may require more information.

Univé will then:

  • Treat your report confidentially. Your personal information will not be shared with others without your consent. An exception to this is if the law requires this. Reporting anonymously or under a pseudonym is possible;
  • Respond to your report within five days with our assessment and an expected resolution date;
  • Keeping you informed of the progress of resolving the problem;
  • Not take legal action against you for this notification if you have complied with the following and legal conditions;
  • After the issue has been resolved, if you wish, go public with news of the reported issue with your name as the discoverer.

We strongly request:

  • Not (legally) prohibited from performing cybercrime activities, such as (but not limited to) 'brute force attacks', 'social engineering', attacks on physical security, 'distributed denial of service', spam or third party applications to gain access to systems ;
  • Not actively scanning for weak spots. Because the Univé network is continuously monitored, there is a good chance that such a scan will be detected. Univé will investigate this, which may lead to unnecessary costs;
  • Not to place your own 'backdoor' in an information system to demonstrate the vulnerability. This can cause additional damage and unnecessary safety risks;
  • Not to use a vulnerability more than is necessary to determine the vulnerability;
  • Do not copy, delete or modify data from the system. What is possible is to make a 'directory listing' of a system;
  • Not adjusting the system;
  • Do not try to access the system more often and do not share access with others.