Technical Product Vulnerability Disclosure Policy
As our information technologies provide critical services, maintaining the security and integrity of our hardware and software is of paramount concern to Nexor. We know the value of a close working relationship with cyber security professionals as we are part of this Community. Nexor is committed to verifying and addressing any potential technical product vulnerabilities that are reported to us.
Customers who discover vulnerabilities are encouraged to use their existing support channel to raise a support call/case for their product.
We encourage anyone to report vulnerabilities they may find in a responsible manner. The following indicates the type of vulnerabilities which are in scope.
1.2.1 In scope
Any Nexor technical product.
1.2.2. Conduct which is Out of Scope
The following conduct is expressly prohibited:
- Accessing, or attempting to access, data or information that does not belong to you.
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
- Violating any laws or breaching any agreements to discover vulnerabilities.
1.3 Safe Harbour
Nexor pledges not to initiate legal action against anyone who finds a technical product vulnerability in our systems so long as they adhere to this Policy. This is not a licence or invitation to reverse engineer our Intellectual Property which would still initiate legal action.
Please review these terms before you test and/or report a technical product vulnerability.
Nexor believes in maintaining a good working relationship with security professionals. Please privately provide us with the details of any suspected vulnerabilities to email@example.com so that our Security Team can validate and reproduce the discovered issue.
When reporting a potential technical product vulnerability, please include as much of the below information as possible to help us better understand the nature and scope of the reported issue:
- Product name and version containing the product technical vulnerability.
- Environment or system information under which the issue was reproduced (e.g. product model number, OS version, etc).
- Type and/or class of vulnerability (XSS, buffer overflow, RCE, etc).
- Step-by-step instructions to reproduce the technical product vulnerability.
- Proof-of-concept or exploit code.
- Potential impact of the technical product vulnerability.
This will allow Nexor to assess the severity and impact.
Nexor is committed to ensuring that our customers receive the best and most timely security advice available to ensure adequate protection against the technical product vulnerabilities in question.
Advice to customers will include:
- The overall impact
- A representation of the severity; Critical, High, Medium, Low.
- Products and versions affected.
- Brief description of the technical product vulnerability and the potential impact if exploited.
- Remediation details with update/workaround information.
Corrective action will be taken in the shortest, commercially reasonable time. Response timelines will depend on many factors, including the severity, impact, implementation complexity of the discovering a technical product vulnerability.
If you are a supported customer, please raise a support call via your normal support channel. If you are not a supported customer, please use the email address above.
For Nexor to protect our customers, we request that you not post or share any information about a potential technical product vulnerability in any public setting until we have researched, responded to, and addressed the reported technical product vulnerability. This will give us the opportunity to inform our customers.
We will make a make a reasonable effort to:
- Respond to the originator of the technical product vulnerability report in a timely manner, acknowledging receipt of the technical product vulnerability report
- Nexor is happy to thank every individual researcher who submits a technical product vulnerability report which helps us to improve our overall security posture at Nexor.
RECENT BLOG POSTS
Information Security is at a crossroads; we have more and more tools available to mitigate attacks but the number of security incidents such as data breaches is on the rise - why is this? Everyone thinks they know what they should be doing when it comes to information...
Going through Scrum Master training gave me one of the greatest leadership tools I’ve ever received, one that I use on a daily basis within my role as a Product Manager, but also as a leader in my organisation and in the wider community. It's a mindset that's called...
Are We Looking for Unicorns Are we looking for realistic combinations of skills and certifications in cyber security recruitment, or are we looking for mythical candidates who, like unicorns, simply don't exist? That was the question posed on Monday 8th February,...
Be the first to know about developments in secure information exchange