Net at Work Vulnerability Disclosure Policy
Process for reporting and publishing security vulnerabilities
As a manufacturer of high quality and durable products, the security of our customer data has top priority and is a company value ofNet at Work. We therefore welcome any contribution from external safety experts to improve the safety of our products. This Directive defines the framework which Net at Work for the responsible disclosure of security vulnerabilities. This Directive applies in its current version, subject to change without notice.
2. Scope of application
This policy applies to all networked or network-capable products and components developed, manufactured or marketed by Net at Work, as well as to all publicly available Net at Work IT applications.
We are interested in reports of vulnerabilities that are exploitable, lead directly to an exploitable vulnerability or allow user data to be compromised remotely.
Please note that reports of vulnerabilities with minimal security impact (e.g. missing headers), unverified results of automated scans, vulnerabilities beyond Net at Work’s control, or vulnerabilities that violate the requirements below will not be considered.
3. Authorisation and responsible disclosure
If your findings or comments concern one of our products or our mobile applications, you can contact our Product Security Incident Response Team (PSIRT) directly. Please use the following e-mail address:
Your e-mail should contain the following information:
- Product(s) concerned/application(s)
- Description of the identified weakness
- If available: Proof of concept source code,exploit or log files
To speed up the reporting process, please
share the security incidents with us in detail;
To take our existing applications into consideration and not to disturb their operation;
To give us a reasonable response time before you disclose the information. We will endeavour to respond promptly and remedy the identified vulnerability within 90 days. During this time please we ask you to keep all communications and information confidential. If we are unable to meet this time frame, we will contact you immediately;
Not to access or modify our data or the data of our users without our express permission of the owner. Please access only your own accounts or test accounts for security research purposes;
To contact us immediately if you accidentally come across data of other users. Viewing, changing, storing, transmitting or otherwise accessing the data is not permitted. Delete all local copies of the data immediately after reporting the vulnerability to the above email addresses;
To act with good faith to avoid data breaches, data destruction and disruption or deterioration of our services (including denial–of–service); and to comply with all applicable laws.
4. Consequences of compliance with this Directive
We will not take civil action or file a complaint with law enforcement authorities for unintentional, bona fide violations of this Policy as amended. We consider activities conducted in accordance with this policy to be “authorized” conduct. To the extent that your activities are inconsistent with certain restrictions in our Policy, we will waive those restrictions to allow security research under this Policy. We will not make any claims against you if you have circumvented the technological measures we use to protect the applications under this policy.
We would like to thank you for your cooperation. Your comments and messages help us to make our systems more secure. In recognition of this, we would like to welcome you to our Hall of Thanks Please let us know if and under which name we can list you there.