Our Vulnerability Disclosure Policy (VDP) establishes a clear process for reporting and addressing security vulnerabilities in our supported products and systems. It fosters collaboration with researchers and stakeholders, ensuring issues are resolved promptly to protect our users and strengthen trust in our organization.
This policy applies to all of our open-source projects, our products delivered directly to customers and our Software-as-a-Service offerings.
If you have discovered a security issue with our products, please submit a report to security@nordeck.net, with the following information:
- Your contact email address
- The vulnerability description
- The steps to reproduce it and a proof of concept
- The assumed impact and recommended fix
Nordeck does not provide compensation in exchange for information pertaining to security vulnerabilities under this policy. We may choose not to pursue, contact, or otherwise interact with reporters who decline to identify themselves when making the report. We will deal in good faith with reporting parties who comply with these guidelines. We may choose to disregard submissions by parties who submit a high volume of low-quality reports.
For parties who conduct security research and vulnerability disclosure activities in accordance with these Responsible Disclosure Guidelines:
- We will not initiate or recommend any law enforcement or civil lawsuits related to such activities, and
- in the event of any law enforcement or civil action brought by anyone other than Nordeck, Nordeck will take reasonable steps to make known that the activities of the affected parties were conducted pursuant to and in compliance with these Responsible Disclosure Guidelines.
All activities conducted under these Responsible Disclosure Guidelines must be limited exclusively to the following:
- Testing to detect a potential vulnerability or to identify an indicator related to a potential vulnerability; or
- Sharing information with Nordeck, or receiving information from Nordeck, related to a potential vulnerability.
Nordeck does not authorize, permit, or otherwise allow (expressly or impliedly) anyone to engage in any illegal activity. If you engage in any activities that are inconsistent with these Responsible Disclosure Guidelines or any applicable law, you may be subject to criminal and/or civil liabilities.
-
Parties conducting activities subject to the Responsible Disclosure Guidelines must do no harm, including but not limited to exploiting any security vulnerability beyond the minimal amount of testing required to demonstrate that a potential vulnerability exists; intentionally accessing the content of any communications, data, or information transiting or stored on Nordeck network(s) or system(s); compromising the privacy or safety of our employees, our customers, or any third parties; intentionally compromising the intellectual property or other commercial or financial interests of Nordeck, Nordeck employees, our customers, or any third parties; posting, transmitting, uploading, linking to, sending, executing, or storing any malicious software on any Nordeck network(s) or system(s).
-
Reporting parties must allow Nordeck an opportunity to correct a potential vulnerability within a reasonable timeframe before publicly disclosing the identified issue, to ensure that we have developed and thoroughly tested the solution to such issue.
-
Parties conducting activities under this Responsible Disclosure must comply with all laws applicable with security research activities or any other activities under these Responsible Disclosure Guidelines.
-
To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of any non-Nordeck entity, such non-Nordeck entity may independently determine whether to pursue legal action or remedies related to such activities.
NOTE: Nordeck reserves the right, in its sole discretion, to modify the terms of these Responsible Disclosure Guidelines or to terminate any or all of them at any time.