At Stichting Matchis we work hard to maintain and improve the security of our (medical) devices, systems and services. No matter how much effort we put into system security, there might be vulnerabilities present. If you discover a vulnerability you can report it safely via our Coordinated Vulnerability Disclosure, so Stichting Matchis can take safety measures.

Reporting a vulnerability

If you have found a vulnerability, we would like to hear about it so that we can take appropriate measures as quickly as possible. Stichting Matchis is keen to cooperate with you to protect our clients and systems better.

Our Coordinated Vulnerability Disclosure policy is not an invitation to proactively scan our network/systems for vulnerabilities. We monitor our network/systems continuously ourselves and such activities can result in unnecessary expenses.

If you comply with our Coordinated Vulnerability Disclosure policy we have no reason to take legal action against you regarding the reported vulnerability. We ask you to:

• Make sure that your findings are in scope. On www.z-cert.nl/cvd-english/ you can check what is considered to be out-of-scope.
• Send your findings to Z-CERT. To do this please use the mail template on www.z-cert.nl/cvd-english/ and send it to cvd@z-cert.nl encrypted with our PGP-key. Z-CERT is an organization that handles all cyber security issues on behalf of Stichting Matchis. Z-CERT will work with you and Stichting Matchis to make sure that your report is handled with care.
• Provide adequate information to allow us to investigate and reproduce the vulnerability. Fill out every aspect of the CVD-form. This helps to resolve the problem as quickly as possible. An IP address or URL of the affected system with a description of the vulnerability will usually be sufficient, although more information might be necessary for more complex vulnerabilities. You may add a proof of concept as an attachment.
• Do not exploit vulnerabilities, e.g. by downloading more data than is needed to demonstrate the vulnerability, looking into third-party data, deleting or modifying data.
• If you suspect to have access to medical data we ask you to let us verify this.
• Do not share information on vulnerabilities until they have been resolved and erase any obtained data as soon as the problem is solved.
• Do not attack (physical) security using social engineering, distributed denial of service, spam, brute force attacks, third-party applications for instance, or other types of attacks.

How we will handle your report:

• Stichting Matchis and Z-CERT will treat your report confidentially and will not share your personal data unless required by law.
• Z-CERT will send you a confirmation of receipt and will respond within five working days with an evaluation of your report and an expected resolution date.
• Stichting Matchis and Z-CERT will keep you informed of the progress in resolving the problem.
• If you report a non-trivial security issue, your name will be mentioned in our Hall of Fame, if you so desire. Stichting Matchis is a non-profit organization and therefore does not offer monetary rewards for reported security vulnerabilities.

We strive to resolve any vulnerability as soon as possible. Once the problem has been resolved we will decide in consultation whether and how details will be published.