Coordinated Vulnerability Disclosure

Have you discovered a vulnerability in a Royal HaskoningDHV ICT system? Please notify us of the security vulnerabilities that you have found, before informing the outside world. This gives us the opportunity to take action first. Doing so is called 'coordinated vulnerability disclosure' or 'responsible disclosure'.
Report a vulnerabilityReport a vulnerability

Which vulnerabilities can be reported

Vulnerabilities that pose a risk to system security can be reported to us. Examples include vulnerabilities that give the ability to bypass login forms or allow unauthorised access to databases containing personal information.

Not every defect in a system is a vulnerability. In general, the following defects do not result in a potential security breach and we therefore kindly ask you to not report such vulnerabilities to us:

  • Defects that do not affect the availability, integrity, or confidentiality of data.
  • The opportunity to use cross-site scripting on a static website or a website that does not process any sensitive (user) data.
  • The availability of version information, for example via an info.php file. One possible exception in this scenario is when the version information reveals that the system uses software that contains known vulnerabilities.
  • The lack of HTTP security headers as used by mechanisms such as Cross-Origin Resource Sharing (CORS), unless this lack of a security header demonstrably results in a security problem.

Of course, if you are in doubt whether the vulnerability you have found suits one of the above exceptions, you can still report it to us. We will determine whether the defect constitutes a vulnerability and take appropriate follow-up actions.

What to do

After discovering, report the vulnerability as soon as possible to Royal HaskoningDHV using the button below. Consider encrypting the contents of your report using our ‘PGP key’.

  • Handle the information in your possession responsibly. Do nothing more than is necessary to demonstrate the security vulnerability.
  • Share enough information with us so that we can reproduce the vulnerability and fix it as soon as possible. The IP address of the computer or URL of the ICT system and a description of the security vulnerability is usually sufficient. The more complicated the vulnerability, the more details we need to reproduce it.
  • Leave your contact details, at least an email address or telephone number, so that we can contact you.

What NOT to do

  • Don’t send malware.
  • Don’t copy, change, or delete any data in the ICT system concerned (as an alternative, you can create a directory listing of the system).
  • Don’t make any changes to the system.
  • Don’t repeatedly visit the system or share access with others.
  • Don’t use ‘brute force’ to open the system.
  • Don’t perform denial of service or social engineering.
  • Don’t share information about the vulnerability with others.

What to expect

  • When you report the security vulnerability with us, Royal HaskoningDHV will check if you have complied with the conditions described above. If you have done so, Royal HaskoningDHV will not attach legal consequences to your notification.
  • Royal HaskoningDHV treats the notifications it receives confidentially. Your personal details will not be shared with third parties without your permission, unless required to do so by law or a court order.
  • Royal HaskoningDHV will send you an acknowledgement of receipt of your notification within one working day.
  • Royal HaskoningDHV will respond to your notification within three working days. The response will contain an assessment of your notification and the date on which the vulnerability is expected to be remedied
  • Royal HaskoningDHV will keep you – as the one who discovered the vulnerability – posted on the remedial action. Royal HaskoningDHV will strive to remedy the security vulnerability identified by you as soon as possible, no later than 60 days after receiving your notification. Royal HaskoningDHV will plant a tree for you our Forest of Fame as a reward for your help. To be eligible for this reward, the report must concern a serious security problem not yet known to Royal HaskoningDHV. See the ‘Forest of Fame’ section for more information.

Report a vulnerability

In the event you find a technical vulnerability in one of the systems of Royal HaskoningDHV, you can report the identified vulnerability to us by providing the information below. This gives us the opportunity to take action first. Doing so is called ‘responsible disclosure’ or ‘Coordinated Vulnerability Disclosure (CVD)’.

To prevent the data from falling into the wrong hands, you can encrypt the content of your report using our ‘PGP key’. Please read our CVD Policy before submitting your report. Here you will find more information about how we will process your CVD and what is expected from you.

If you have a question or comment that does not relate to cyber security, please contact Royal HaskoningDHV via the general contact information on royalhaskoningdhv.com .

What to include in your report

  • First name (optional)
  • Surname prefix (optional)
  • Surname (optional)
  • E-mail (required)
  • Telephone number (optional)
  • Appendices (optional)
    •  Type of vulnerability (required)
    • Injection
    •  Broken Authentication
    • Sensitive data exposure
    • XML External Entities (XXE)
    • Security misconfigurations
    • Cross Site Scripting (XXS)
    • Broken Access control
    • Insecure Deserialization
    • Availability
    • Integrity
    • Confidentiality
    • Other
  • Step-by-step explanation of the vulnerability (required)
  • Explain why the identified vulnerability requires reporting (required)
  • Domain name(s) or IP address(es) relating to the report (required)
  • Your own PGP key (optional)

By submitting your report, you acknowledge that you have read and agree to the terms of the CVD policy. Next to that, you agree that the data you provided may be used for communication regarding the notification you made and for realising the reward if you are eligible.

Information about the processing of your personal data

We ask you to provide your email address in order to communicate with you regarding your report. Providing a (nick)name and telephone number is optional. If you are eligible for a reward, we will also need your (nick)name if you wish us to mention your (nick)name in the Forest of Fame. Your data will not be shared with third parties unless this is required by law or a court order.

Forest of Fame

In 2024, Royal HaskoningDHV created a 'Forest of Fame' to plant a tree and mention the (nick)name of each security researcher who reported a security vulnerability. This is to highlight and thank the researchers that have made a positive contribution to the digital security of Royal HaskoningDHV. To qualify, the following quality requirements must be met:

  • The report has a major impact on the digital security of Royal HaskoningDHV.
  • When there are multiple reports from the same reporter: the percentage of good and qualitative reports is high.
  • The quality of the reporting in the notification is good.