The Dutch Security Hotline is a group of volunteers, part of the Dutch Institute for Vulnerability Disclosure, which has set the task of informing owners of Dutch network blocks and websites about (cyber) security issues that are reported to the Dutch Security Hotline.
We want to make the Netherlands (Cyber) safer by acting as a hotline for security-related matters relating to Dutch network operators. We want to enable researchers and other stakeholders to quickly inform all Dutch Network operators of vulnerable or infected devices in their network.
We do this in the Dutch way: Open, honest, together, and free of charge.
What we do…
If someone reports an incident (vulnerability/infection/other issues) in multiple systems to us, we will validate it. After validation, we will find which network administrator(s) belong to the affected IP addresses and send a notification to these parties. This report contains a description of the incident (possibly via a blog post) and the affected IP addresses.
What we do not do
The Dutch Security Hotline is not the “internet police.” We only pass on the notification to the operators; we do not keep statistics about the follow-up and nor will we publish about it. The hotline does not publish about vulnerabilities unless this information is already publicly available elsewhere. We do not approach individuals.
The Dutch Security Hotline hotline is part of the Dutch Institute for Vulnerability Disclosure. The Dutch Security Hotline differs in a number of cases with regard to the DIVD.
|Target||Dutch network operators||Everyone|
|Type of report||Vulnerability with one or more systems||A general vulnerability and a list of IP addresses|
|Publication||In principle, yes||No, unless the information is already available somewhere else|
|Hall of fame||Yes||No|
What about the GDPR?
IP addresses have marked as personal data by the Dutch Data Protection Authority. The Dutch Security Hotline processes personal data and follows the legal definition “legitimate concern” for this.
According to the Dutch Data Protection Authority, an organization may invoke a legitimate interest if three conditions are met:
(1) you have a legitimate interest, (2) the processing is necessary to represent this legitimate interest and (3) you have made an assessment between your interests and those of the persons whose personal data you are processing.
The purpose of the Dutch Security Hotline is to make the Netherlands (Cyber) safer by informing network administrators about incidents in their network so that they can resolve it. A safer Netherlands in the public interest. Processing of IP addresses is necessary to inform network administrators of security problems in their network; without IP addresses, this information is virtually useless. Reporting the incident to the operator is also in the interest of the persons to whom the IP addresses possibly belong. After all, resolving an incident is also in the interest of these people.