Net at Work Vulnerability Disclosure Policy
Process for reporting and publishing vulnerabilities
As a manufacturer of high quality and long-lasting products, the security of our customer data has the highest priority and is a corporate value of Net at Work. We therefore welcome any contribution from external security experts to improve the security of our products. This policy defines the framework that Net at Work guarantees for the responsible disclosure of security vulnerabilities. This policy applies in its current version, subject to change without notice.
This policy applies to all networked or networkable products and components developed, manufactured or marketed by Net at Work, as well as to all publicly available Net at Work IT applications.
We are interested in reports of vulnerabilities that are exploitable, lead directly to an exploitable vulnerability or allow user data to be compromised remotely.
Please note that reports of vulnerabilities with minimal security impact (e.g. missing headers), unverified results of automated scans, vulnerabilities beyond Net at Work’s control or vulnerabilities that violate the requirements below will not be considered.
3. Eligibility and responsible disclosure
If your findings or comments concern one of our products or our mobile applications, you can contact our Product Security Incident Response Team (PSIRT) directly. Please use the following email address:
Your email should contain the following information:
- Affected product/application
- Description of the identified vulnerability
- Proof-of-concept source code, exploit or log files (if available)
To speed up the reporting process, please keep the following things in mind:
- Share with us in detail the security incidents.
- Take into account our existing applications.
- Make sure not to disrupt our applications’ operation.
- Give us a reasonable response time before you disclose the information. We strive to respond promptly and remedy the identified vulnerability within 90 days. During this time, we ask you to keep all communications and information confidential. If we are unable to meet this time frame, we will contact you immediately.
- Do not access or modify our data or the data of our users without our express permission from the owner. Please access only your own accounts or test accounts for security research purposes.
- Contact us immediately if you inadvertently come across data of other users. Viewing, changing, storing, transmitting or otherwise accessing the data is not permitted. Delete all local copies of the data immediately after reporting the vulnerability to the above email addresses.
- Act with good faith to avoid breaches of privacy, data destruction and disruption or deterioration of our services (including denial of service) and and comply with all applicable laws.
4. Consequences of compliance with this directive
We will not take civil action or file a complaint with law enforcement authorities for unintentional, bona fide violations of this policy as amended. We consider activities conducted in accordance with this policy to be “authorized” conduct. To the extent that your activities are inconsistent with certain restrictions in our policy, we will waive those restrictions to allow security research under this policy. We will not make any claims against you if you have circumvented the technological measures we use to protect the applications under this policy.
We would like to thank you for your cooperation. Your comments and messages will help us to make our systems more secure. In recognition, we would therefore like to welcome you to our Hall of Thanks. Please let us know if and under which name we may list you there.