The organization has a published Coordinated Vulnerability Disclosure Policy to encourage security researchers and individuals to ethically find and report vulnerabilities.
Specification
For external suppliers the policy should be in accordance with the guidelines of the Dutch National Cyber Security Centre (NCSC): https://english.ncsc.nl/publications/publications/2019/juni/01/coordinated-vulnerability-disclosure-the-guideline
The policy should be easy to find and should also be referenced to in security.txt
ISO 27001 & 27002:2022
A5.7,
A8.7,
A8.8
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SM.07 Threat en Vulnerability Management