If you have found a potential security vulnerability in one of Naq Cyber’s systems or domains, we request you to take part in our responsible disclosure process as described below. We would like to co-operate with you to take the necessary measures and rectify the vulnerability. If you have landed here from a Google search for “Responsible Disclosure” we remind you that the purpose of this policy is for the case where you find a vulnerability by accident.
What we ask of you
- E-mail your finding to security [at] naqcyber.com as quick as possible, including every step to identify and reproduce the vulnerability;
- Provide us with full details of the security issue, including the IP address or the URL of the affected system or domain and if possible, a Proof of Concept;
- Leave your contact details so we can contact you to co-operate towards a safe result. This could be an e-mail address or a telephone number;
- Do not disclose the vulnerability with others without our permission/approval;
- Handle knowledge on the vulnerability with care by not performing any acts other than those necessary to reveal the vulnerability to us.
What you cannot do
- Cause damage and create unnecessary security risks;
- Install, copy, change or delete anything on a system;
- Use ’brute force’ to access a system;
- Use social engineering to gain access to a system.
What you can expect
- We will handle all reports confidentially and will not share your personal details with third parties without permission from the reporter, unless this is mandatory by judicial decision;
- We will respond to your report within five working days with an assessment of the report and an expected date for a solution;
- We will resolve the observed security issue as quickly as possible and keep you up-to-date;
- We will determine in (mutual consultation) whether and in what way the issue will be published after it has been resolved;
- We will offer a reward if you are the first person who reports a serious vulnerability to us, that we were unaware of;
- We reserve the right to consider the vulnerability as an accepted risk and not resolve it.
This is not an invitation to actively start scanning or hack us. If you happen to find something (by accident), we would like to know as soon as possible on firstname.lastname@example.org.