Introduction

At the European Commission, the security of our Communication and Information Systems is a top priority, in line with Commission Decision EC 2017/46.

However, vulnerabilities can never be completely eliminated, despite best efforts. When vulnerabilities are identified and exploited, it puts at risk the confidentiality, integrity or availability of the European Commission's systems and the information processed therein.

This vulnerability disclosure policy describes what systems and types of tests are authorised and how to send vulnerability reports. We encourage you to contact us to report potential security issues in our systems by following this policy.

Authorisation

If you are acting in good faith to identify and report vulnerabilities on European Commission systems, while complying with this policy we will work with you to understand and resolve the issues quickly.
The European Commission will not pursue legal action related to your activities of identifying vulnerabilities on our systems as long as you follow the guidelines in this policy.

Scope

This policy applies to all internet facing systems from the European Commission, including

• the entire European Commission’s web presence
  • *.ec.europa.eu/*
  • *.commission.europa.eu/*
• public IPs advertised under ASN 42848, and attached services
• any other software published by the European Commission

Any services not expressly listed above are excluded from the scope and are not authorised for testing.
Moreover, vulnerabilities found in systems from vendors are also excluded from scope and should be reported directly to the vendor according to their own disclosure policy (if applicable).

Guidelines

While carrying out your activities, it is imperative that you

• do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability, deleting, or modifying other people’s data
• only use harmless exploits to confirm that a vulnerability is present
• do not reveal any data downloaded during the discovery to the public or any other parties
• do not reveal the vulnerability or problem to the public or other parties until it has been resolved
• stop your tests when you discover any sensitive information (Personally Identifiable Information – PII, medical, financial, proprietary information or trade secrets) and notify us immediately and do not disclose any obtained data to anyone else

Do not perform the following actions

• place malware (virus, worm, Trojan horse, etc.) on any system
• compromise any systems using exploits to gain full or partial control
• copy, modify or delete data from the system
• make changes to the system
• repeatedly access the system or share access with the public other parties
• use any access obtained to attempt to access other systems
• change access rights of other users
• use automated scanning tools
• use a so-called “brute force” attack to access any systems
• use denial-of-service or social engineering (phishing, vishing, spam, etc.)
• use attacks on physical security

Reporting a vulnerability

What we would like to see from you

If you have identified a vulnerability, please

• e-mail your findings as soon as possible toEC-VULNERABILITY-DISCLOSUREec [dot]europa [dot]eu (EC-VULNERABILITY-DISCLOSURE[at]ec[dot]europa[dot]eu), specifying whether or not you agree to your name or pseudonym being made publicly available as the discoverer of the problem
• encrypt your findings using ourPGP key to prevent this critical information from falling into the wrong hands
• provide us with sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation in terms of technical information or potential proof-of-concept code
• provide your report in English preferably, or in any other official language of the European Union

What you can expect from us

In return, we promise the following when you report a vulnerability to us, that is to

• respond to your report within three (3) business days with our evaluation of the report
• handle your report with strict confidentiality
• where possible, inform you when the vulnerability has been remedied
• process the personal data that you provide (such as your e-mail address and name) in accordance with the applicable data protection legislation and will not pass on your personal details to third parties without your permission
• publish your name as the discoverer of the problem, if you have agreed to this in your initial e-mail, when and if we disclose the problem publicly