Use of the Princess Máxima Center website
The information on this website is only intended as general information. No rights can be derived from the information on this website. Although the Princess Máxima Center takes care when compiling and maintaining this website and makes use of sources that are considered reliable, we can not guarantee the correctness, completeness and topicality of the information provided. The Princess Máxima Center does not guarantee that the website will function flawlessly or uninterrupted or free of viruses. The Princess Máxima Center explicitly rejects any liability with regard to the correctness, completeness, topicality of the information provided and the (undisturbed) use of this website.
Information from third parties, products and services
On the website of the Princess Máxima Center there are links to websites of third parties, we accept no liability and no responsibility for the content, use or availability of websites of third parties. The use of such links is at your own risk. The information on such websites has not been assessed by the Prinses Máxima Center for accuracy, reasonableness, timeliness or completeness.Use of information
All intellectual property rights and other rights with regard to all information offered on or via this website (including all texts, graphic material and logos) are vested in the Princess Máxima Center. It is not permitted to copy, download or in any way publish, distribute or reproduce information on this website without the prior written permission of the Princess Máxima Center. You may print and / or download information on this website for your own personal use.Amendments
We have the right to change the information offered, including this disclaimer, at any time without further notice. It is advisable to regularly check whether the information offered on or via this website, including this disclaimer, has been changed.Applicable law
Dutch law applies to this website and the disclaimer. All disputes arising from or in connection with this disclaimer will exclusively be submitted to the competent court within the district of the Princess Máxima Center.Coordinated Vulnerability Disclosure
The Princess Máxima Center finds it of great importance that the security of its (medical) equipment, software and services is guaranteed. Despite the care taken to ensure their security, vulnerabilities may nevertheless arise. If you discover such a vulnerability, you can safely report this to us. This approach is called Coordinated Vulnerability Disclosure. In this way, the Princess Máxima Center can take protective measures.
Reporting a vulnerability
If you have found a vulnerability we would like to hear about it, so that we can take action as quickly as possible. The Princess Máxima Center would like to work with you to better protect our patients and systems.
Our Coordinated Vulnerability Disclosure policy is not an invitation to actively scan our corporate network (our systems) for vulnerabilities. We monitor our network, so chances are that a scan will be noticed by our IT department and they will investigate and potentially incur unnecessary costs.
If you report vulnerabilities to us through our Coordinated Vulnerability Disclosure policy, we have no reason to take legal action against your report. We ask that you adhere to the following rules:
- You report your findings to Z-CERT Foundation by sending an email to cvd@z-cert.nl. You can use the PGP key. The Z-CERT Foundation is the organization that handles Coordinated Vulnerability Disclosure reports for Princess Máxima Center. They work together with you as a reporter and with the Princess Máxima Center to ensure that your report is dealt with.
- In your report, you provide sufficient information so that the problem can be reproduced. That way we can solve it as quickly as possible. Usually the IP address or the URL of the affected system and a description of the vulnerability is sufficient, but for more complex vulnerabilities more information is sometimes desired/necessary.
- You do not abuse the vulnerability identified. For example, by downloading more data than is necessary to demonstrate the vulnerability or by accessing, deleting or modifying data of third parties.
- If you suspect that a vulnerability allows you to view medical data, we ask that you do not verify this yourself but that you ask us to do so.
- You will not share your findings with others until it is resolved. In addition, we ask that you immediately delete all confidential data that you have obtained after the leak has been resolved.
- You will not conduct attack(s) on our physical security or use social engineering, distributed denial of service, spam, brute-force attacks, and/or third-party applications.
How we handle your report
- The Princess Máxima Center and Z-CERT treat your report confidentially and do not share your personal data with third parties without your permission, unless required by law.
- You will receive a confirmation from Z-CERT and within 5 working days you will receive a response to your report with an assessment of the report and an expected date for a solution.
- As the reporter of the problem, Z-CERT will keep you informed about the progress of resolving the problem.
- In communications about the reported problem, Princess Máxima Center will, if you wish, mention your name as the discoverer.
- The Princess Maxima Center is grateful to you for reporting and making the Dutch healthcare sector safer. Therefore, the Princess Maxima Center has set up a Hall of Fame. The Hall of Fame will include individuals who have reported a vulnerability or problem in the security of our systems.
Not in scope
Z-CERT will not process reports of vulnerabilities or security issues that cannot be abused or are trivial. Below are a couple of examples of known vulnerabilities and issues that are outside the scope. This does not mean they are not important or should not be resolved, however our CVD process is meant for issues that can be actively abused. For example a vulnerabilities that can be abused by a public available exploit or a misconfiguration that can be used to bypass an existing security control. This list of exclusions is derived from a list used by the CERT of Surf (https://www.surf.nl/responsible-disclosure-surf).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages and content spoofing/text injections in these pages
- Fingerprinting/version disclosures op public services
- Public files or directories that do not contain confidential information
- Clickjacking problems that can only be exploited by clickjacking
- No secure/HTTP-only flags on unconfidentional cookies
- OPTIONS HTTP method enabled
- Rate-limiting without clear impact
All issues related to HTTP security headers, for example:
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Content-Security-Policy
SSL-configuration issues
- SSL Forward secrecy disabled
- No TXT record for DMARC or a missing CAA-record
- Host header injection
- Reports of outdated versions of any software without a proof of concept of a working exploit