EU Digital Covid Certificates Vulnerability Disclosure Policy (VDP)

At the European Commission, we treat the security of our Communication and Information Systems as a top priority, in line with Commission Decision EC 2017/46. However, vulnerabilities can never be completely eliminated, despite all efforts. If exploited, such vulnerabilities can harm the confidentiality, integrity or availability of the Commission's systems and of the information processed therein. To identify and remediate vulnerabilities as soon as possible, we value the input of external entities acting in good faith, and we encourage responsible vulnerability research and disclosure. This document sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.

Scope

• EU DCC Gateway
• EU DCC Applications
• Source code in eu-digital-green-certificates repositories

If you have identified a vulnerability, please do the following:

• E-mail your findings to EC-VULNERABILITY-DISCLOSURE@ec.europa.eu, specifying whether or not you agree to your name or pseudonym being made publicly available as the discoverer of the problem.
• Encrypt your findings using our PGP key to prevent this critical information from falling into the wrong hands.
• Provide us sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation in terms of technical information or potential proof-of-concept code.
• Provide your report in English, preferably, or in any other official language of the European Union.
• Inform us if you agree to make your name/pseudonym publicly available as the discoverer of the vulnerability.

Please do not do the following

• Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability, deleting, or modifying other people’s data.
• Do not reveal any data downloaded during the discovery to any other parties.
• Do not reveal the problem to others until it has been resolved.
• Do not perform the following actions:
  • Placing malware (virus, worm, Trojan horse, etc.) within the system.
  • Reading, copying, modifying or deleting data from the system.
  • Making changes to the system.
  • Repeatedly accessing the system or sharing access with others.
  • Using any access obtained to attempt to access other systems.
  • Changing access rights for any other users.
  • Using automated scanning tools.
  • Using the so-called "brute force" of access to the system.
  • Using denial-of-service or social engineering (phishing, vishing, spam etc.).
• Do not use attacks on physical security.

What we promise:

• We will respond to your report within three business days with our evaluation of the report.
• We will handle your report with strict confidentiality.
• Where possible, we will inform you when the vulnerability has been remedied.
• We will process the personal data that you provide (such as your e-mail address and name) in accordance with the applicable data protection legislation and will not pass on your personal details to third parties without your permission.
• In the public information concerning the problem reported, we will publish your name as the discoverer of the problem if you have agreed to this in your initial e-mail