At Naturalis Biodiversity Center, cybersecurity is high on the agenda and every effort is made to keep ICT systems secure. Despite our efforts, it may happen that a vulnerability has been overlooked. If you have found a vulnerability, we would like to hear from you, to fix it as soon as possible. Please send an email to csirt@naturalis.nl with a description of your findings, the IP address or URL where the vulnerability was found, possibly with an attachment. 

In doing so, Naturalis asks: 

• to not abuse the found vulnerability: to not download more data than necessary, to not edit or delete data, to not share the data with others;
• to not publish or share the vulnerability before it has been fixed and
• to delete any downloaded data after transfer to Naturalis.

Naturalis does not agree to demonstrate a vulnerability by:

• placing malware;
• using brute force to gain access;
• conducting a Denial of Service attack;
• using Social Engineering.

Naturalis promises:

• to respond substantively to your report within 3 business days;
• to not to take legal action if these conditions are met;
• to treat your report confidentially and not share your personal information without your consent, unless necessary to comply with legal obligations;
• inform you of the resolution of the vulnerability;
• to naming you, if you wish, as the discoverer of the vulnerability in communications;
• an appropriate reward, according to the severity of the vulnerability and the quality of the research. If there is no vulnerability or risk with a critical or high impact, or if it has already been reported, no reward will be granted. Results of automated scans are generally not eligible for rewards;
• to strive to resolve the vulnerability quickly within 60 days and involve you in communicating this.