Magenta joined IT Industry Code for Reporting Security gaps.
One of the basic requirements for the success of digitalization is that customers and citizens have confidence in the IT solutions that support digital Denmark. In other words, good IT security is a crucial factor. For this reason, Magenta has adhered to the IT Industry Code for Reporting Security Gaps
The companies and the authorities would therefore be very pleased to hear from you if you become aware of any errors or vulnerabilities in systems that may lead to security or data breaches.
All Affiliated Companies and Authorities will endeavor to deal with your request in accordance with the instructions below.
We expect you to use your best judgment in familiarizing yourself with the instructions below and following the portions that pertain to you as an investigator.
When should you report safety violations?
- You should contact us if there is a security breach that you believe could lead to the misuse of information that by its nature appears to be confidential. For example, this could be the case if you see information about other citizens that you believe you are not allowed to see or access.
- Overall, we would like to hear about inadvertent access to personal data or sensitive company information. For example, this could be:
- If you are given or have been given access to other citizens’ personal information.
- If it is possible to adjust permissions or otherwise access other people’s user accounts or information
- If you have become aware of software vulnerabilities or possible exploits that could be exploited to access otherwise inaccessible data
What do we need to know?
- We want as detailed a description as possible of the problem or error you are experiencing.
- Your request may very well include the following information:
- How you became aware of the problem or bug
- What you believe the error or vulnerability is
- Where the problem, bug or vulnerability occurred
- Please send screenshots of the problem, bug or security flaw
- Your contact information.
- We accept and respect within the law if you wish to remain anonymous, but we encourage you to send us your contact information. We need your contact information to report back to you and to potentially process your request.
What are you not allowed to do?
- Do not exploit the bug or vulnerability you observed to access data.
- Of course, you may inadvertently access data that does not pertain to you. The key thing is not to explore and exploit the vulnerability to access more data.
- Once we receive your request, we will immediately begin remediation depending on the scope and severity of the security breach. In the meantime, we appeal to you not to contribute to worsening the consequences of the identified security breach – for example, by contacting the media with your knowledge of the security breach while we are processing your request. This also applies to social media.
- There may be a security vulnerability that can be exploited by others.
- It is important that we have the opportunity to resolve the issue before it becomes public knowledge. This is done to limit the damage – including to those who may be affected.
- If you choose to contribute to the dissemination of information that has become inadvertently accessible due to the identified vulnerability, we may be forced to consider your actions as aiding and abetting hacking and may file police charges.
How should you contact us?
- Please send the information to: firstname.lastname@example.org
- Please bring the problem to our attention as soon as possible and without unnecessary delay. It is important that we have the opportunity to resolve this issue as soon as possible.
What happens after you send us your request?
- We take your request seriously and process it as soon as we receive it.
- You will always receive a receipt for your review within 1-2 business days so you know we received it.
- You will also receive feedback on what we did with your request within 2 weeks. This will also state whether you should expect to hear from us again or if the case is closed.
- There may be a duty to report the security breach or data breach to the Danish Data Protection Agency or other authorities. This duty generally rests with the data controller and data processor and not with you, the citizen or investigator. Once you have brought the data breach to our attention, we will make a possible notification to the Danish Data Protection Agency.
Read more about the IT industry initiatives here.