At Naturalis Biodiversity Center, cybersecurity is high on the agenda and every effort is made to keep ICT systems secure. Despite our efforts, it may happen that a vulnerability has been overlooked. If you have found a vulnerability, we would like to hear from you, to fix it as soon as possible. Please send an email to with a description of your findings, the IP address or URL where the vulnerability was found, possibly with an attachment. 

In doing so, Naturalis asks: 

  • to not abuse the found vulnerability: to not download more data than necessary, to not edit or delete data, to not share the data with others;
  • to not publish or share the vulnerability before it has been fixed and
  • to delete any downloaded data after transfer to Naturalis.

Naturalis does not agree to demonstrate a vulnerability by:

  • placing malware;
  • using brute force to gain access;
  • conducting a Denial of Service attack;
  • using Social Engineering.

Naturalis promises:

  • to respond substantively to your report within 3 business days;
  • to not to take legal action if these conditions are met;
  • to treat your report confidentially and not share your personal information without your consent, unless necessary to comply with legal obligations; 
  • inform you of the resolution of the vulnerability;
  • to naming you, if you wish, as the discoverer of the vulnerability in communications; 
  • an appropriate reward, according to the severity of the vulnerability and the quality of the research (if there is no vulnerability or risk, no reward will be awarded) and
  • to strive to resolve the vulnerability quickly within 30 days and involve you in communicating this.