Skip to content

Security Policy

The Dutch Tax Office (Dutch: Belastingdienst) takes the security of our products and services seriously.

If you believe you have found a security vulnerability, please report it before sharing it with the outside world. This way, we can take measures first. This is called 'Coordinated Vulnerability Disclosure' (CVD).

Reporting Security Issues

Please do not report security vulnerabilities through public GitHub issues.

The Coordinated Vulnerability Disclosure page on our webpage explains how to securely report your finding.

In summary:

  • Send us your findings by e-mail: cvd@belastingdienst.nl
  • If possible, encrypt your findings with our PGP-key on the Coordinated Vulnerability Disclosure page.
  • provide sufficient information to be able to reproduce the problem, so that we can rectify this as quickly as possible. The URL of the system affected and a description of the vulnerability are sufficient, but more information may be required for more complex vulnerabilities.
  • leave your contact details so that our Security Operations Centre can contact you in order to jointly find a safe solution. Leave at least an e-mail address or telephone number.
  • do not share the information regarding the security problem with other people until we have solved it.
  • handle the information regarding the security problem responsibly by not performing any actions that go further than necessary to demonstrate the security problem.
  • realize that any information in our systems falls under the (fiscal) duty of confidentiality and that further dissemination of the said information is a punishable offense.

Policy