Security at Net at Work

Net at Work is manufacturerof the modular Email Security Gateway NoSpamProxy. We carry the seal of approval “IT Security made in Germany”, are member of the association TeleTrust Federal Association for IT Security and the Alliance for Cyber Security. The security of our products as well as the privacy of our customers is very important to us.

Vulnerability Reporting

Please send your comments to the following address: psirt@nospamproxy.com.

Your report ideally contains this information:

  • Product/application concerned
  • Description of the vulnerability
  • If available: Proof-ofconcept, Exploit or Network recordings

Even if you’re not quite sure: We will follow up your advice and contact you if we have any further questions.

Net at Work Product Security Incident Response Team

For questions or advice regarding the cyber security of our products and mobile applications please contact: psirt@nospamproxy.com

PGP Public Key

You can find the PGP key here on Open Keys.

PGP Fingerprint:
41EA FC04 E2AE 24EF DF3B 3E7C 13E7 5B53 9C61 F3DD

S/MIME Public Key
You can find the S/MIME key here on Open Keys.

Net at Work Vulnerability Disclosure Policy

Process for reporting and publishing security vulnerabilities

1. Introduction

As a manufacturer of high quality and durable products, the security of our customer data has top priority and is a company value ofNet at Work. We therefore welcome any contribution from external safety experts to improve the safety of our products. This Directive defines the framework which Net at Work for the responsible disclosure of security vulnerabilities. This Directive applies in its current version, subject to change without notice.

2. Scope of application

This policy applies to all networked or network-capable products and components developed, manufactured or marketed by Net at Work, as well as to all publicly available Net at Work IT applications.

We are interested in reports of vulnerabilities that are exploitable, lead directly to an exploitable vulnerability or allow user data to be compromised remotely.

Please note that reports of vulnerabilities with minimal security impact (e.g. missing headers), unverified results of automated scans, vulnerabilities beyond Net at Work’s control, or vulnerabilities that violate the requirements below will not be considered.

3. Authorisation and responsible disclosure

If your findings or comments concern one of our products or our mobile applications, you can contact our Product Security Incident Response Team (PSIRT) directly. Please use the following e-mail address:

psirt@nospamproxy.com

Your e-mail should contain the following information:

  • Product(s) concerned/application(s)
  • Description of the identified weakness
  • If available: Proof of concept source code,exploit or log files

To speed up the reporting process, please

share the security incidents with us in detail;

To take our existing applications into consideration and not to disturb their operation;

To give us a reasonable response time before you disclose the information. We will endeavour to respond promptly and remedy the identified vulnerability within 90 days. During this time please We endeavour to respond promptly and remedy the identified vulnerability within 90 days. During this timewe ask you to keep all communications and information confidential. If we cannot meet this time frame, we will contact you immediately;

Not to access or modify our data or the data of our users without our express permission of the owner. Please access only your own accounts or test accounts for security research purposes; Please access only your own accounts or test accounts for security research purposes;

To contact us immediately if you accidentally come across data of other users. Viewing, changing, storing, transmitting or otherwise accessing the data is not permitted. Delete all local copies of the data immediately after reporting the vulnerability to the above Email addresses;

To act with good faith to avoid data breaches, data destruction and disruption or deterioration of our services (including denialofservice); and to comply with all applicable laws.

4. Consequences of compliance with this Directive

We will not take civil action or file a complaint with law enforcement authorities for unintentional, bona fide violations of this Policy as amended. We consider activities conducted in accordance with this policy to be “authorized” conduct. To the extent that your activities are inconsistent with certain restrictions in our Policy, we will waive those restrictions to allow security research under this Policy. We will not make any claims against you if you have circumvented the technological measures we use to protect the applications under this policy.

We would like to thank you for your cooperation. Your comments and messages help us to make our systems more secure. In recognition of this, we would like to welcome you to our Hall of Thanks . Please let us know if and under which name we can list you there.