Responsible disclosure policy
Translink works with the OV-chipkaart to ensure that passengers can travel on public transport safely and easily every day. OV-chipkaart security is the highest priority for Translink. The safety of Translink's own ICT systems is also very important, of course. Every day, specialists work to optimise the systems and processes. Vulnerabilities may still occur in our systems, however. If you discover vulnerabilities in our systems or in the OV-chipkaart, we will be happy to work with you to find a solution.
What kinds of vulnerabilities can I report?
You can report problems relating to our online service or the OV-chipkaart. For example:
- Cross site scripting
- SQL injection
Good to know: the reporting point is not intended for complaints about service or availability of the website and app. For this, please use the contactform. It is also not intended for reports of problems with OV-chipkaart equipment at train and metro stations or on buses and trams. For this, please contact the relevant operator.
How do I make a report?
Email us at email@example.com, using our public PGP Key. Include the following in the email:
- A detailed description of the problem you have found.
- The information required for us to reproduce and verify the vulnerability you found.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (MingW32)
-----END PGP PUBLIC KEY BLOCK-----
Can I make an anonymous report?
You can also make an anonymous report. Bear in mind that it will then not be possible to make contact after the report. Or to pay any reward. In order to remain anonymous, you will need to email from a random email address, without including any further contact details.
What will TLS do with the report?
Your report will be investigated by our security experts. You will receive an initial response from us within two working days:
- We will inform you of our evaluation of your report,
- Whether we are going to implement a solution,
- And when we are going to do this.
When you report a vulnerability, you may be performing an illegal act. If you act with integrity, keep to the rules and report the vulnerability to us, you will not be prosecuted. You may also be eligible for a reward.
- Anyone who discovers a possible vulnerability in our system can make a report. Including if you do not use an OV-chipkaart.
- We can only process reports made in Dutch or English.
- Do not use attacks on physical security, social engineering, distributed denial of service, spam or third-party applications.
- Do not place a back door in an information system in order to demonstrate the vulnerability.
- Make minimal use of a vulnerability. Do only what is necessary to establish the vulnerability.
- Do not change or remove any data from the system.
- Do not copy any databases or files. An alternative is to create a directory listing of a system.
- Do not make any system changes.
- Do not repeatedly try passwords (brute force) to access systems.
Searching for or investigating a vulnerability should never lead to:
- Financial, legal, operational or reputational damage to TLS.
- Disruption to our service.
- Publication of confidential (customer) data.
If you have made a report, we will ask you for your contact details (name, email, public PGP key and possibly a telephone number). We will not pass your details on to third parties and will not use them for any other purposes. Unless we are legally obliged to do so, for example.
Can I publish the vulnerability I find and my research?
Never publish your research or vulnerabilities in our IT systems without consulting us. Consult with our security experts and give us time to find a solution to the problem.
We are pleased that people want to help us optimise our systems and processes. You will therefore receive an appropriate reward to express our gratitude for a reported vulnerability we have been able to solve or that has led to a change to our service. TLS will decide whether you are eligible for a reward and the amount of this reward. If more than one person reports the same vulnerability, the first person to report the vulnerability will receive the reward.