Recently, I got the question from a young hacker how to start with Responsible Disclosures. So here is a tutorial to contribute to the online Security of The Dutch Government. For the rules see the guideline and the Coordinated Vulnerability Disclosure. Before you start hunting read the rules!

Recon

Before hunting, you need a scope right? Luckily I made a copy of The Dutch Governments web register and extracted all the URL’s. The file contains 1189 domains. I would recommend you to execute a sub-domain scan for more sub-domains. For that, you could use tools like Amass, Subfinder, Aquatone or MassDNS.

Now you can start looking for vulnerabilities in the websites discovered from the sub-domain scans. For this use the OWASP Testing Checklist. Just follow the checklist, look for vulnerabilities and be creative!

Reporting

Now that you have found some vulnerabilities, it is important that you explain them clearly so that the NCSC understands your report. For that, I recommend reading ‘Writing Reports’ from EdOverflow. Remember that the response time when reporting vulnerabilities is usually not so fast. Have patience!

Own experience

This was one of my first Responsible Disclosures at The Dutch Government after a week of hunting. In the meanwhile, I have found dozens of vulnerabilities in the websites of The Dutch Government, received a lot of t-shirts for it and learned a lot :)

 

I hacked The Dutch Government and all I got was this lousy t-shirt