Responsible disclosure

It is essential that the ICT systems of NOA are safe. NOA strives towards providing a high level of security for its system. However, it can occur that one of these systems has a vulnerability.

Vulnerabilities in ICT systems of NOA

If you have found a weak spot in one of the ICT systems of NOA, NOA would like to hear about this from you, so the necessary measures can be taken as quickly as possible to rectify the vulnerability. To deal with the vulnerabilities in the NOA ICT systems responsibly, we propose several agreements. You may hold NOA to this when you discover a weak spot in one of our systems.

NOA asks you to:

  • E-mail your findings to
  • provide sufficient information to reproduce the problem so that NOA can solve the problem as quickly as possible. The IP address or the URL of the system affected and a description of the vulnerability is usually sufficient, but more may be needed for more complex vulnerabilities
  • leave your contact details so that NOA can contact you to cooperate on a safe result. At least, leave an e-mail address or a telephone number
  • report the vulnerability as quickly as possible after its discovery
  • do not share the information on the security problem with others until the problem has been solved
  • handle the knowledge on the security problem with care by not performing any acts other than those nesessary to reveal the security problem
  • Please refrain from sending us a report on the issues below. Even if they are reproducible, NOA considers them not a security vulnerability:

Issues found through automated testing

Presence of banner or version information

OPTIONS / TRACE HTTP method enabled

“Advisory” or “Informational” reports such as user enumeration

Vulnerabilities requiring physical access to a system

Missing CAPTCHAs

Default web server pages

Brute-force attacks

Content injection

Hyperlink injection in emails

Content Spoofing

Issues relating to password policy

Full-path disclosure

Version number information disclosure

CSRF-able actions that do not require authentication (or a session) to exploit

Issues on 3rd-party subdomains/domains of services we use. Please report those issues to the appropriate service.

Reports related to the following security-related headers:

Strict Transport Security (HSTS)

XSS mitigation headers (X-Content-Type and X-XSS-Protection)


Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)

Avoid in any case the following acts:

  • installing malware
  • copying, changing or deleting data in a system (an alternative to this is makin a directory listing of a system)
  • making changes to a system
  • repeatedly accessing the system or sharing access with others
  • using so-called "brute force" to acess systems
  • using denial-of-sevice or social engineering

What you can expect:

  • if you comply with the conditions above when reporting the observed vulnerability in an ICT system of NOA, NOA will not attach any legal consequences to this report
  • NOA handles a report confidentially and does not share personal details with third parties without permission from the reporter, unless this is mandatory by virtue of a judicial decision
  • in mutual consultation, NOA can, if you desire, mention your name as the discoverer of the reported vulnerability
  • NOA will send you a confirmation of receipt within three working days
  • NOA responds within five working days to a report with an assessment of the report and an expected date for a solution
  • NOA keeps the reporter up-to-date on the progress made with solving the problem
  • NOA solves the security problems observed by you in a system as quickly as possible, but no later than within 60 days. In mutual consultation, whether and in what way the problem will be published, after it has been solved, is determined.
  • NOA offers a reward as thanks for help. Depending on the seriousness of the security problem and the quality of the report, the reward can vary from a T-shirt to maximum EUR 300 in gift vouchers. It must concern a serious problem that is unknown to NOA.