Responsible disclosure guidelines

 

At Netcompany, we consider the security of our systems a top priority. But regardless how much effort we put into system security, vulnerabilities might still be present.

Hence, it’s important for us, our customers, and our partners to know that any threat to us and them is handled effectively and efficiently, which is why we maintain these responsible disclosure guidelines giving clear directions to anyone on how to report security issues to us for swift action.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. This guideline is aimed to be read and followed by any individual, who believe to have found a vulnerability in Netcompany’s in-scope assets.

Please note that we do not currently offer a bug bounty or a hall of fame program which means that Netcompany does not pay rewards or publicly show any sign of appreciation for disclosed security vulnerabilities.

To protect Netcompany and our customers and partners, we investigate all reported issues, but we do not confirm them publicly.

If you are looking to report a non-security related issue, please contact us in accordance with the information below.

 

Legal issues

 

 legal@netcompany.com

 
Privacy issue

 

 gdpr@netcompany.com

 
To report serious offences or suspected serious offences with full anonymity

 

 Please use our independent and autonomous whistleblower channel:

https://www.netcompany.com/whistleblower

 
For all other reporting please contact

 

 info@netcompany.com

 

 

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be authorized, lawful, helpful to the overall security of the Internet, and conducted in good faith. We will not report any findings to authorities when reported in accordance with our guidelines. You are however, expected to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us beforehand by submitting a report before going any further.

 

What we expect of you

  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying the data,
  • Do not pass on information about the vulnerability to third parties or institutions unless this has been approved by Netcompany,
  • Do not carry out any attacks on our IT systems that compromise, change, or manipulate infrastructure and people
  • Do not carry out attacks on physical security, using social engineering techniques (e.g., phishing), (distributed) denial of service, or through third parties, and
  • Do provide us sufficient information so that we can reproduce, analyze, and solve the problem, as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation

 

Our Promise

When working with us according to our responsible disclosure guidelines, you can expect Netcompany to:

  • Extend Safe Harbor against you for your vulnerability research reported in accordance with these guidelines
  • Cooperate with you to understand and validate your report, including giving you a response to your submission within a timely manner and preferably within 15 business days and keep you updated if deemed appropriate
  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission
  • Work to remediate discovered vulnerabilities as quickly as possible

 

In scope

In-scope assets are all Netcompany services, applications, and websites; all non-public Netcompany-data incl. personal information, financial information, and proprietary information; or Netcompany-data involuntarily publicized anywhere.

In-scope security issues also include:

  • Ability to see, modify or hinder availability to above-mentioned Netcompany-data
  • Security issues regarding implementation of third-party plugins
  • Security issues in third-party services or -libraries used in any of the in-scope Netcompany assets
  • Non-technical issues which can impact Netcompany as if it was a technical security issue, e.g., a business process with a specific, vulnerable setup
  • Sites imitating Netcompany assets, but not owned by Netcompany, e.g., sites aiming to phish Netcompany, Netcompany customers, or misuse the Netcompany brand

 

If you’re in doubt, you’re welcome to ask questions at responsible-disclosure@netcompany.com.

 

Out of scope

Out of scope security issues include:

  • Non-sensitive cookies
  • HTTP response header configuration unless they’re related to an in-scope security issue
  • SPF, DKIM, DMARC-setup
  • Security issues requiring a jailbroken mobile device unless the issue enables a server-side compromise
  • Social engineering attacks (e.g., phishing) on Netcompany (but not sites aimed to social engineer Netcompany or our customers cf. the previous section)
  • Findings from automated scans (unless qualified and proven to constitute a real vulnerability)

 

How to report a vulnerability

If you detect a vulnerability in our in-scope assets, please email us at:
responsible-disclosure@netcompany.com

Please include the string “Responsible disclosure” in the subject to ensure proper handling of your email.

When reporting a security issue, please include these points:

  1. Description of the security issue with as many details as possible
  2. Please describe the attack chain, which can lead to an impact to Netcompany using the security issue discovered
  3. Screenshot(s)
  4. Any thoughts on how we can mitigate the security issue
  5. Contact details and preferred method of follow-up conversation (e.g., email, Teams, or phone)

 

You must ensure that your email is sent with ≥TLS1.2 (“forced TLS”) and a cipher suite currently considered secure.

If you can’t ensure forced TLS, you may use the (fool-proof) option of emailing us the relevant information in a .zip- or .7z-file within a regular email to the above address, the file encrypted with a secure algorithm and password.

Deliver this password via an alternative communication channel. Please contact us to arrange this alternative communication channel (probably a text, phone call or a virtual meeting room depending on your preference).

 

Processing of personal data

Please note that when you report a security issue, we will store and process all personal data included in your report and follow-up conversation, but strictly only as required to act on your report.

This will usually be limited to your initial email and any follow-up conversation being processed in accordance with our privacy policy.

Netcompany reserves the right to amend our responsible disclosure guidelines at all times and without any notification or reason.