Responsible disclosure policy

Translink works with the OV-chipkaart to ensure that passengers can travel on public transport safely and easily every day. OV-chipkaart security is the highest priority for Translink. The safety of Translink's own ICT systems is also very important, of course. Every day, specialists work to optimise the systems and processes. Vulnerabilities may still occur in our systems, however. If you discover vulnerabilities in our systems or in the OV-chipkaart, we will be happy to work with you to find a solution.

What kinds of vulnerabilities can I report?

You can report problems relating to our online service or the OV-chipkaart. For example:

  • Cross site scripting
  • SQL injection
  • Encryption

Good to know: the reporting point is not intended for complaints about service or availability of the website and app. For this, please use the contactform. It is also not intended for reports of problems with OV-chipkaart equipment at train and metro stations or on buses and trams. For this, please contact the relevant operator.  

How do I make a report?

Email us at responsibledisclosure@translink.nl, using our public PGP Key. Include the following in the email:

  • A detailed description of the problem you have found.
  • The information required for us to reproduce and verify the vulnerability you found.

PGP Key

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: GnuPG v1.4.9 (MingW32)

 

mQENBFPg3akBCADP38pon/G/YgRl31F7wo+Q73ODuxeT5Im14HQN09clBl/TJNYv

C2HDyQbWuw2lzvqv4+t6Hh6nQAOaSa4jIDUx/S7ZhlLSxqb/Kv7T30uU2DSSe697

5t5c9TupqFIVSMfDKrDkUU0X2eFUBDl/HIujx5p9IDW1sfkqaH6HnA4H/M3Rv2r/

W7xF7m28Sz24M/XFvhUWU9LUcjtBulpF/oLO7IWR2mfv2zFsHc8sxBD1lV/7ATcb

yxQsCDYrLgVKC3NGNgeMllqxynaMnsYeXVg5o2TQH5hYkFu22L7Bewr+y6rsF5n/

KePA2BzWNMT3c3/ksLXpo+THm6Df0B1G0TqzABEBAAG0QFJlc3BvbnNpYmxlX0Rp

c2Nsb3N1cmVfVExTIDxyZXNwb25zaWJsZS5kaXNjbG9zdXJlQHRyYW5zbGluay5u

bD6JATYEEwECACAFAlPg3akCGw8GCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRB6

ldXW1GS84oxyCACfNiFGFDh3+Vzq+JiHLs8RmjCn5xbD2Zb8TqvfDotyH6+Vvp7q

iAV5DucvFM99nQfcmyZoUucH2asCdiJUxLPx1WG5w0fDr2IOdYuzyqEaBqOdBT56

S3GP9oIA5238l7fg48pbyjlCEfHjq3FZUtZgMjB5V19ElzKeuWHXdoFdG6hvttMt

5IDmwL617e78TCc5G7ePdr8XRbbM/q/bB+RnMAdQ08jQKV5+lfgKcqsouQVVm8Nk

qW0ZqEDxFvDEokPfzmQH9V5uZ3z4LDF8lTqUyyVL88w3gwMv2QyL2xxNsANC/Q32

oFvPToPQXTFRIgh4U8st2DYdj6l0bNNzGLQn

=0ukB

-----END PGP PUBLIC KEY BLOCK-----

Can I make an anonymous report?

You can also make an anonymous report. Bear in mind that it will then not be possible to make contact after the report. Or to pay any reward. In order to remain anonymous, you will need to email from a random email address, without including any further contact details.

What will TLS do with the report?

Your report will be investigated by our security experts. You will receive an initial response from us within two working days:

  • We will inform you of our evaluation of your report,
  • Whether we are going to implement a solution,
  • And when we are going to do this.

The rules

When you report a vulnerability, you may be performing an illegal act. If you act with integrity, keep to the rules and report the vulnerability to us, you will not be prosecuted. You may also be eligible for a reward.

  • Anyone who discovers a possible vulnerability in our system can make a report. Including if you do not use an OV-chipkaart.
  • We can only process reports made in Dutch or English.
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or third-party applications.
  • Do not place a back door in an information system in order to demonstrate the vulnerability.
  • Make minimal use of a vulnerability. Do only what is necessary to establish the vulnerability.
  • Do not change or remove any data from the system.
  • Do not copy any databases or files. An alternative is to create a directory listing of a system.
  • Do not make any system changes.
  • Do not repeatedly try passwords (brute force) to access systems.

Searching for or investigating a vulnerability should never lead to:

  • Financial, legal, operational or reputational damage to TLS.
  • Disruption to our service.
  • Publication of confidential (customer) data.

Your privacy

If you have made a report, we will ask you for your contact details (name, email, public PGP key and possibly a telephone number). We will not pass your details on to third parties and will not use them for any other purposes. Unless we are legally obliged to do so, for example.

Can I publish the vulnerability I find and my research?

Never publish your research or vulnerabilities in our IT systems without consulting us. Consult with our security experts and give us time to find a solution to the problem.

Reward

We are pleased that people want to help us optimise our systems and processes. You will therefore receive an appropriate reward to express our gratitude for a reported vulnerability we have been able to solve or that has led to a change to our service. TLS will decide whether you are eligible for a reward and the amount of this reward. If more than one person reports the same vulnerability, the first person to report the vulnerability will receive the reward.

See the Hall of Fame

Our policy on reporting vulnerabilities is based on the guideline issued by the Dutch National Cyber Security Centre (NCSC). (links open new window)