This Vulnerability Disclosure Policy ("VDP") describes Nexplore's policy for receiving reports of potential security vulnerabilities in its products and services and the company's standard practice for notifying customers of verified vulnerabilities.
Everyone is encouraged to report identified vulnerabilities, regardless of the type of service or product. Researchers, partners, CERTS, customers, or any other source are welcome to report vulnerabilities.
The discovery and reporting of vulnerabilities can have civil and criminal consequences. The risks involved can be reduced by following these rules.
Nexplore believes that working with skilled security researchers around the world is critical to identifying vulnerabilities in any technology. If you believe you have found a security vulnerability in our products or services, we encourage you to notify us. We look forward to working with you to resolve the issue in a timely manner.
To ensure that a submission is acceptable, you must follow a few rules:
Let us know as soon as possible when you discover a potential security problem, and we'll make every reasonable effort to fix it quickly.
Give us a reasonable amount of time to fix the problem before disclosing it to the public or a third party. And be aware that no disclosure is allowed without Nexplore's written permission.
Please avoid DDOSing us or causing a service interruption while testing our platform. And be careful not to compromise the privacy of our customers or employees.
Do not try to over-exploit the bug and access internal data for further vulnerabilities. We will determine the severity of the problem in depth.
If you find the same vulnerability more than once, please file only one report and use comments if possible.
Do not harm Nexplore, Nexplore's customers or partners.
Do not keep copies of non-public Nexplore information or share such information with third parties.
Do not engage in social engineering, spam or phishing attacks.
Do not use or modify any data that you may access during discovery. Please act in good faith by conducting your activities under this policy and reporting the vulnerability with us promptly, in sufficient detail for us to determine the validity of the vulnerability, and without coercion, dishonesty, or fraudulent intent.
Violation of any of these rules may result in further action by Nexplore, including, but not limited to, legal action against you.
Nexplore does not currently offer compensation for reporting security issues.
The preferred method of contacting Nexplore's security team is to email security@nexplore.ch if you have identified a potential vulnerability in one of our products or services.
To help us manage the vulnerability, we expect well-written reports in English or German that include the following information
Time and date of discovery
URL, browser information including type and version, and what is required to reproduce the vulnerability
Technical description – provide as much detail as possible about what actions were taken and what the result was
Evidence of exploitability - e.g. screenshot, video
Sample code – if possible, provide code used in testing to create the vulnerability
Contact information for the reporting party – best way to reach you
Threat/Risk Assessment – provide details of the threats and/or risks identified, including a risk level (high, medium, low) for the assessment result
Software Configuration – computer/device configuration details at time of vulnerability
Pertinent information about connected devices if the vulnerability occurs during interaction. If a secondary device triggers the vulnerability, this information should be provided.
Upon receipt of your incident report, the appropriate personnel will contact you for follow-up. Our goal is to acknowledge receipt of all reports submitted within seven days.