Responsible Disclosure notification

If you discover a flaw in or breach in the IT systems of one or more of Royal Schiphol Group’s legal entities that has its registered office in the Netherlands, then please let us know. It is important that we take every possible measure and precaution to give ourselves the best digital protection available. For that reason, we ask you to handle digital security responsibly and that you carefully study the rules for Responsible Disclosure notifications. Thanks in advance for your cooperation.

Rules for Responsible Disclosure notifications

What can be reported

Please let us know if you encounter problems with our digital systems, such as:

  • Remote Code Execution
  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Injection vulnerabilities
  • Broken authentication and session management
  • Encryption-related flaws
  • Unauthorized access to data
  • APIs that are insufficiently protected

Exceptions

Before reporting a vulnerability, make sure to check if it is not listed in the exceptions:

Exceptions Responsible Disclosure

How issues can be reported

If you discover something wrong, please let us know immediately.

  • Email your findings as quickly as possible to responsible (full stop) disclosure ('at'sign) schiphol (full stop) nl.
    If possible, encrypt your email with a Schiphol
    PGP-key This prevents the information from falling into the wrong hands.
  • In the body of your email, please remember to tell us how you discovered the problem, so that we are able to reproduce it. Describe the problem and pass on the IP address or URL.
  • Also include your contact information, such as an email address or telephone number. Then we can contact you to work on a safe solution together.
  • You will receive a message from us as soon as possible about the further course of events.

Thanks for doing your bit

We trust that you will treat any information regarding security issues as strictly confidential and only share this information with Amsterdam Airport Schiphol. We also kindly ask you not to take any further action to demonstrate the security issue, and to delete any confidential information you may have had access to when you discovered the breach.

Important rules regarding Responsible Disclosure notifications

Be careful not to break the law

Please take great care when looking into the security of our IT systems, as you may accidentally break Dutch or international laws. This may open you up to possible criminal charges. The rule of law supersedes the rules set out by Amsterdam Airport Schiphol, so take great care to ensure you are not engaging in any illegal activities that we are required to report to the authorities.

Royal Schiphol Group Responsible Disclosure Hall of Fame

Names or pseudonyms of people who contributed to our safety in accordance with the rules of responsible disclosure can be found in our Responsible Disclosure Hall of Fame.

View the Hall of Fame