Security at Net at Work

Net at Work is the manufacturer of the modular email security gateway NoSpamProxy. We carry the seal of approval “IT Security made in Germany” and are a member of the TeleTrust Federal Association for IT Security and the Alliance for Cyber Security. The security of our products as well as the privacy of our customers is of utmost importance to us.

Reporting vulnerabilities

Please send your feedback to the following address:

Ideally, your report should contain this information:

  • Affected product/application
  • Description of the vulnerability
  • Proof-of-concept, exploit or network recordings (if available)

Even if you are not entirely sure,  we will follow up on your information and contact you if we have any further questions.

Net at Work Product Security Incident Response Team

For questions or information regarding the cyber security of our products and mobile applications, please contact us: 

PGP Public Key

Download the PGP Key from Open Keys.

PGP Fingerprint:
3544 22B0 B4DC E503 5E22 32CA C7B4 635B 14C1 01AA

S/MIME Public Key
Download the S/MIME certificate from Open Keys.

Net at Work Vulnerability Disclosure Policy 

Process for reporting and publishing vulnerabilities

1. Introduction

As a manufacturer of high quality and long-lasting products, the security of our customer data has the highest priority and is a corporate value of Net at Work. We therefore welcome any contribution from external security experts to improve the security of our products. This policy defines the framework that Net at Work guarantees for the responsible disclosure of security vulnerabilities. This policy applies in its current version, subject to change without notice.

2. Scope

This policy applies to all networked or networkable products and components developed, manufactured or marketed by Net at Work, as well as to all publicly available Net at Work IT applications.

We are interested in reports of vulnerabilities that are exploitable, lead directly to an exploitable vulnerability or allow user data to be compromised remotely.

Please note that reports of vulnerabilities with minimal security impact (e.g. missing headers), unverified results of automated scans, vulnerabilities beyond Net at Work’s control or vulnerabilities that violate the requirements below will not be considered.

3. Eligibility and responsible disclosure

If your findings or comments concern one of our products or our mobile applications, you can contact our Product Security Incident Response Team (PSIRT) directly. Please use the following email address: 

Your email should contain the following information: 

  • Affected product/application
  • Description of the identified vulnerability
  • Proof-of-concept source code, exploit or log files (if available)

To speed up the reporting process, please keep the following things in mind:

  • Share with us in detail the security incidents.
  • Take into account our existing applications.
  • Make sure not to disrupt our applications’ operation.
  • Give us a reasonable response time before you disclose the information. We strive to respond promptly and remedy the identified vulnerability within 90 days. During this time, we ask you to keep all communications and information confidential. If we are unable to meet this time frame, we will contact you immediately.
  • Do not access or modify our data or the data of our users without our express permission from the owner. Please access only your own accounts or test accounts for security research purposes.
  • Contact us immediately if you inadvertently come across data of other users. Viewing, changing, storing, transmitting or otherwise accessing the data is not permitted. Delete all local copies of the data immediately after reporting the vulnerability to the above email addresses.
  • Act with good faith to avoid breaches of privacy, data destruction and disruption or deterioration of our services (including denial of service) and and comply with all applicable laws.

4. Consequences of compliance with this directive

We will not take civil action or file a complaint with law enforcement authorities for unintentional, bona fide violations of this policy as amended. We consider activities conducted in accordance with this policy to be “authorized” conduct. To the extent that your activities are inconsistent with certain restrictions in our policy, we will waive those restrictions to allow security research under this policy. We will not make any claims against you if you have circumvented the technological measures we use to protect the applications under this policy.

We would like to thank you for your cooperation. Your comments and messages will help us to make our systems more secure. In recognition, we would therefore like to welcome you to our Hall of Thanks. Please let us know if and under which name we may list you there.