Vulnerability disclosure policy
Overview
Vulnerability disclosure in a controlled manner is a foundation of ethical hacking and a prerequisite for establishing trust with Nixu customers. Not following ethical vulnerability disclosure practices may cause serious harm to Nixu, customers of Nixu, and the digital society around us. All Nixu employees and subcontractors with information about non-disclosed vulnerability information must adhere to the instructions outlined below.
Purpose
This policy aims to establish a standard for disclosing security vulnerabilities in an ethical and controlled manner in Nixu.
Scope
The scope of this policy includes all Nixu employees and subcontractors who gain information about non-disclosed security vulnerabilities affecting either Nixu, customers of Nixu, or 3rd parties associated with Nixu. In addition, external parties who have found vulnerabilities in Nixu owned systems are strongly recommended to follow the instructions in this policy to avoid any legal consequences of uncontrolled vulnerability disclosure.
Policy
General
Nixu's main goals on security vulnerability disclosure are:
- To help our customers to protect their business by being able to patch vulnerable systems.
- To contribute to the industry in general, so software products are made more secure to all users by having vendors deliver generic patches.
- To raise public awareness of information security vulnerabilities and ethical hacking
In all situations, Nixu employees and subcontractors are committed to disclosing vulnerability information in a controlled and ethical manner. In practice, this means adhering to the following instructions:
The scope of the disclosure is limited to the relevant stakeholders affected by the vulnerability. Details of disclosing the information for a wider audience will be separately agreed with the relevant stakeholders.
It is not allowed to take advantage of the vulnerability or problem that has been discovered by, for example, extracting more data than necessary to demonstrate the vulnerability or deleting or modifying the affected party's data.
When communicating about the details of the non-disclosed vulnerability with relevant stakeholders, an encrypted communication channel will be used whenever possible.
In addition to the above instructions, specific procedures must be followed depending on the party affected by the vulnerability. Such procedures are described below.
Vulnerabilities affecting Nixu
All vulnerabilities affecting Nixu owned systems must be reported to vulnerabilities@nixu.com
Nixu promises to respond to the vulnerability reporter within three working days by contacting the affected system's owner and providing the reporter a response. Nixu aims to solve the security problems observed by the reporter as quickly as possible. Nixu will agree with the reporter, whether and in which channels the issues will be published after they have been solved.
By complying with the instructions described above, Nixu will not take any legal actions against the vulnerability reporter when disclosing vulnerabilities in a Nixu owned system. Nixu aims to keep its systems and assets secure and hence promotes ethical disclosure of vulnerabilities affecting Nixu. Depending on the seriousness of the identified vulnerability, Nixu will reward the reporter as gratitude for helping to keep Nixu secure.
Vulnerabilities affecting customer environments and projects
If a security vulnerability is identified in a customer environment or project, Nixu will foremost respect the possible non-disclosure and contractual agreements formed with the customer. Nixu will immediately bring the vulnerability to customer's attention and agree on how to proceed with the matter. Nixu may publicly publish vulnerability information and to appropriate vulnerability coordinators such as NCSC-FI, US-CERT, or CERT/CC responsibly only when the customer agreements allow this.
Vulnerabilities affecting 3rd party products and services
If a security vulnerability is identified in a 3rd party product, Nixu will inform the vendor(s) either directly or via an appropriate vulnerability coordinator such as NCSC-FI, US-CERT, or CERT/CC to ensure that the vulnerability will be fixed.
In 3rd party related vulnerabilities that may impact the security of a wider audience, Nixu shall adhere to a 90-day disclosure deadline. After notifying the 3rd party about the vulnerability, Nixu will wait 90 days before disclosing the related information to the public. Public vulnerability disclosure can also be done sooner if the 3rd party can release a fix before the deadline. Limited prolongation of the 90-day deadline can be agreed with a 3rd party case by case.
If the identified vulnerability is previously unknown and under active exploitation, Nixu can decide to take more urgent schedules to disclose the vulnerability. Such vulnerabilities can be disclosed in 7 days after notifying the affected 3rd party. The decision to publish the vulnerability sooner than the standard 90-days deadline will be made case by case and approved separately by Nixu CISO.
Last updated: April 9 2020