Technical Product Vulnerability Disclosure Policy

1.1 Introduction

As our information technologies provide critical services, maintaining the security and integrity of our hardware and software is of paramount concern to Nexor.  We know the value of a close working relationship with cyber security professionals as we are part of this Community.  Nexor is committed to verifying and addressing any potential technical product vulnerabilities that are reported to us.

Customers who discover vulnerabilities are encouraged to use their existing support channel to raise a support call/case for their product.

1.2 Scope

We encourage anyone to report vulnerabilities they may find in a responsible manner.  The following indicates the type of vulnerabilities which are in scope.

1.2.1 In scope

Any Nexor technical product.

1.2.2. Conduct which is Out of Scope

The following conduct is expressly prohibited:

• Accessing, or attempting to access, data or information that does not belong to you.
• Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
• Violating any laws or breaching any agreements to discover vulnerabilities.

1.3 Safe Harbour

Nexor pledges not to initiate legal action against anyone who finds a technical product vulnerability in our systems so long as they adhere to this Policy.  This is not a licence or invitation to reverse engineer our Intellectual Property which would still initiate legal action.

Please review these terms before you test and/or report a technical product vulnerability.

1.4 Process

Nexor believes in maintaining a good working relationship with security professionals.  Please privately provide us with the details of any suspected vulnerabilities to support@nexor.com so that our Security Team can validate and reproduce the discovered issue.  

When reporting a potential technical product vulnerability, please include as much of the below information as possible to help us better understand the nature and scope of the reported issue:

• Product name and version containing the product technical vulnerability.
• Environment or system information under which the issue was reproduced (e.g. product model number, OS version, etc).
• Type and/or class of vulnerability (XSS, buffer overflow, RCE, etc).
• Step-by-step instructions to reproduce the technical product vulnerability.
• Proof-of-concept or exploit code.
• Potential impact of the technical product vulnerability.

This will allow Nexor to assess the severity and impact.

Nexor is committed to ensuring that our customers receive the best and most timely security advice available to ensure adequate protection against the technical product vulnerabilities in question.

Advice to customers will include:

• The overall impact
  • A representation of the severity; Critical, High, Medium, Low.
• Products and versions affected.
• Brief description of the technical product vulnerability and the potential impact if exploited.
• Remediation details with update/workaround information.

Corrective action will be taken in the shortest, commercially reasonable time.  Response timelines will depend on many factors, including the severity, impact, implementation complexity of the discovering a technical product vulnerability.

If you are a supported customer, please raise a support call via your normal support channel.  If you are not a supported customer, please use the email address above.

1.5 Preferences

For Nexor to protect our customers, we request that you not post or share any information about a potential technical product vulnerability in any public setting until we have researched, responded to, and addressed the reported technical product vulnerability.  This will give us the opportunity to inform our customers.  

We will make a make a reasonable effort to:

• Respond to the originator of the technical product vulnerability report in a timely manner, acknowledging receipt of the technical product vulnerability report
• Nexor is happy to thank every individual researcher who submits a technical product vulnerability report which helps us to improve our overall security posture at Nexor.