Code of conduct

Disclaimer: The original of this page written in Dutch. This page has been automatically translated into other languages using DeepL. This may result in differences in nuance, tone and meaning. When in doubt, always consult the Dutch version first. Due to the high cost of translations, this page may lag behind the Dutch version in terms of content. We consider the Dutch version of this page to be leading.

Code of Conduct Internet Cleanup Foundation version 1.0

Internet Cleanup Foundation volunteers conduct their activities according to this code of conduct.

  1. The Internet Cleanup Foundation is a Dutch foundation with the goal of making the Internet safe. The underlying goals are a resilient society against online threats and that everyone can safely use the Internet. We do this, among other things, by providing insight into the availability, integrity and confidentiality of digital services. For example, by visualizing the application of digital security measures.
  2. This code of conduct lays an ethical foundation for our activities. This is essential because it involves working with potentially sensitive data and in most cases without prior consent or processing agreement.
  3. We deal with, among other things:
    1. (Automated) domain search and automated measurement of (protection measures against) vulnerabilities on digital infrastructure
    2. visualizing on an immense scale the application/lack of safety requirements when it is ethically acceptable to publish it (see publication policy)
    3. communicating these findings in the most public way possible, with the goal of getting any vulnerabilities resolved
    4. Work with trusted organizations to get these vulnerabilities resolved
  4. We are aware that we are treading on the edge of what is legally permissible. Therefore, careful considerations are at the basis of our activities. Activities must always comply with the following bases:
    1. Public benefit: we act in the public interest because we believe the Internet should be a safe place for everyone. Our activities are not motivated by financial, political or individual interests.
    2. Proportionality: the goal is to increase the availability, integrity and confidentiality of online services, with the higher goal of making society safer. Our efforts aim to increase security, not weaken it.
    3. Subsidiarity: the solution that achieves the goal with the least impact is always chosen.
  5. We are careful: measurements are verifiable, substantiated and clearly formulated. We create and use measurement tools that are high quality and do not cause damage to systems or infrastructure. We never measure beyond what is necessary to demonstrate vulnerability or lack of a security measure.
  6. We are aware of the complexity of the Internet and digital infrastructure. Therefore, the comply or explain principle is applied to measurements. This creates a standard of what exceptions to basic security are acceptable in which situation. This policy is published publicly so that organizations can comply with it. An explanation is accepted if it is about a solution that is “by design. If an explanation indicates measurement errors, the measurement tools are further focused and the measurement updated.
  7. We measure and publish on a national scale and focus on entire industries and relevant umbrella organizations. We treat all organizations as equal and expect them all to meet the same safety requirements.
  8. Vulnerabilities are published when possible according to this code of conduct. Publication has a number of attributes that we explicitly strive for:
    1. It becomes clear to people with less knowledge of digital security how well organizations handle security. They can draw conclusions from this and pressure to improve,
    2. Safety becomes tangible to drivers, allowing them to steer for it instead of sailing blindly,
    3. It avoids the need for a huge staff organization to have to individually address and follow up on each vulnerability,
    4. Transparency is emerging: of the extent of online services and their quality. This picture is missing from many an organization, therefore, for example, systems get forgotten, remain unpatched and become increasingly vulnerable.
    5. What is already public is made public, while we shield what should be shielded. In other words, “Öffentliche Daten nützen, private Daten schützen”.
  9. Published measurements are current. They are repeated regularly and in outmost cases are not older than 2 months. As a result, each organization being measured is in control of its own assessment.
  10. We report basic security vulnerabilities by communicating them publicly and as widely as possible. The owner of the systems is responsible for resolving the findings.
  11. Everyone involved in activities of the foundation is aware of these rules of conduct and ensures compliance. If someone does not comply with these rules of conduct, measures are taken. Such a measure is, for example, denial of access to projects and infrastructure.
  12. Before publishing information on new groups of organsiations, umbrella organizations will be contacted to announce and streamline publication for a soft landing with those in charge. After a landing period of at least one month, publication will proceed.
  13. New types of measurements are announced to the umbrella organizations. This gives them the opportunity to forward them to their participants for quick follow-up.
  14. We apply the hacker slogans “be excellent to each other” and “all creatures welcome” to social manners in the foundation.

This code of conduct is inspired by that of the Dutch Institute for Vulnerability Disclosure for which thanks.