Responsible disclosure

Vulnerabilities in PGGM's ICT Systems

PGGM attaches a great deal of importance to the security of its systems. In spite of the attention devoted to system security, it is possible that a weak spot may have been overlooked. Should you find a weak spot in one of PGGM's systems, we would like to hear from you, so that the necessary measures can be taken as quickly as possible. For this reason, PGGM implements the following policy concerning the handling of reports of observed vulnerabilities in its ICT systems. You can hold PGGM accountable for this policy when you come across a weak spot in any of the systems and you report this. We would like to work together with you to be able to better protect the data in our systems.

PGGM expects you to do the following:

  • Send the report as quickly as possible after the discovery of a vulnerability to responsibledisclosure@pggm.nl.
  • The report must include the information required by PGGM to reproduce the problem. Generally, the IP address or the URL of the affected system and a description of the vulnerability is sufficient. However, additional information may be required in the event of more complex vulnerabilities.
  • At a minimum, please provide an e-mail address or a telephone number, so that we can work together with you to produce a secure result.
  • Do not share any information about the vulnerability with others until after it has been resolved.
  • Deal responsibly with the knowledge about the security problem by avoiding any actions that go beyond those required to demonstrate the security problem.

In any event do NOT:

  • Spread malware;
  • Copy, change or remove data from the system (an alternative to this is to create a directory listing of the system);
  • Make any changes to the system;
  • Repeatedly gain access to the system or share access to the system with others;
  • Make use of so-called brute force attacks to access the system;
  • Make use of (distributed) denial-of-service or social engineering attacks.

What to expect from PGGM:

  • If you meet the above conditions when you report an observed vulnerability in a PGGM ICT system, PGGM will not take any legal action against you.
  • PGGM treats a report as confidential and will not share personal information with third parties without your permission, unless required to by law or pursuant to a court ruling.
  • PGGM will send you a confirmation of receipt within 1 working day.
  • PGGM will respond to a reported vulnerability within 3 working days with an evaluation of the reported vulnerability and the expected resolution date (if known at that point).

PGGM will keep you informed of the problem solving progress.