Vulnerability Disclosure Program
Introduction
Nucleus Security is committed to ensuring the security and integrity of our customers’ data. To that end, we welcome the responsible disclosure of potential security vulnerabilities discovered in our products or services. If you feel you’ve discovered a potential security vulnerability in one of our products or services, we strongly encourage you to disclose it to us as quickly as possible.
To encourage responsible disclosure, Nucleus Security will not take any legal action against researchers related to the responsible discovery and reporting of a potential security vulnerability if it is discovered and disclosed as defined by this program. In the event of any non-compliant actions, Nucleus Security reserves all legal rights.
We appreciate the time and effort put forth by security researchers and will endeavor to review all reports as quickly as possible. We ask for patience as we verify and correct the reported issues before any public disclosure.
Non-Disclosure
Please do not publicly disclose the details of any potential security vulnerabilities without express written consent from us.
Vulnerability Reporting Procedure
If you have any questions or need to report a potential vulnerability, please email our IT Security team at [email protected].
Discovering Potential Security Vulnerabilities
We encourage you to conduct responsible security research on our products and services. You may only conduct research on our services and products to which you have authorized access and within the guidelines below.
Prohibited Activities:
- Accessing or attempting to access accounts or data that do not belong to you
- Any attempt to modify, download, or destroy any data
- Executing or attempting to execute a denial of service (DoS) attack
- Sending or attempting to send unsolicited or unauthorized email, spam or any other form of unsolicited messages
- Conducting social engineering (including phishing) of Nucleus Security employees, contractors, customers or any other party
- Any physical attempts against our property, including (but not limited to) offices, employees’ residences, data centers, or other facilities
- Posting, transmitting, uploading, linking to, sending or storing any form of malware, virus, or similar harmful or unauthorized software which could impact our services, products or customers or any other party
- Testing third party websites, applications, or services that integrate with our services or products
- The use of automated vulnerability scanners
- Exfiltrating any data under any circumstancesAny activity that violates any law
Findings Excluded from This Program:
- Reports from automated vulnerability scanners
- Descriptive error messages such as stack traces, application or server errors
- HTTP 404 codes or pages, or other HTTP non-200 codes or pages
- Fingerprinting or banner disclosure on common and public services
- Disclosure of known public files or directories, such as robots.txt
- Clickjacking and other issues only exploitable through clickjacking
- CSRF on forms that are available to anonymous users, such as contact, login and logout forms
- CSRF with minimal security implications
- Content spoofing or text injection
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Lack of Secure or HTTPOnly flags on non-sensitive cookies
- Login or Forgot Password page brute force and account lockout not enforced
- Enabled HTTP methods (such as OPTIONS, TRACE, DELETE, PUT, WEBDAV, etc.) without a valid attack scenario
- Missing HTTP security headers, such as Strict Transport Security, X-Frame-Options, X-SSS-Protection, etc.
- Host header or CSV injection without a valid attack scenario
HTTP or DNS cache poisoning - Missing best practices in SSL/TLS configuration without a working proof of concept
- Self-exploitation issues (such as self XSS, cookie reuse, self-denial of service, etc.)
- Issues related to mobile applications that require the host device to be either rooted or jailbroken
- Issues related to brute forcing, rate limiting, and other denial of service type attacks
- Weak password policy implementation
- Use of a known-vulnerable library or framework (e.g. outdated jQuery or AngularJS) without a valid attack scenario
- Issues that rely on outdated or unpatched browsers and platforms to be abused
Reporting a Potential Security Vulnerability
You can responsibly disclose potential security vulnerabilities to the Nucleus Security Information Security Team by emailing [email protected]. Ensure that you include details of the potential security vulnerability and exploit with enough information to enable the Security Team to reproduce your steps.
When reporting a potential security vulnerability, please include as much information as possible, including:
- An explanation of the potential security vulnerability
- A list of products and services that may be affected (where possible)
- Steps to reproduce the discovery
- Proof-of-concept code (where applicable)
- The names of any test accounts you have created (where applicable)
- Your contact information.
What happens next?
Once you have reported a potential security vulnerability, we will contact you within 72 hours with an initial response. We ask that you remain patient as we evaluate and validate the findings and implement any potential remediations or mitigations that we determine may be required. We will strive to keep you informed of our progress and will also notify you when the matter has been addressed.
Subject to any regulatory and legal requirements, all reports will be kept strictly confidential, including the details of the potential security vulnerability as well as the identity of all researchers involved in reporting it. If a report is found to be a duplicate or is otherwise already known to us, the report will not be eligible for public recognition or compensation.
We ask that you maintain confidentiality and do not publicly disclose your research until we have completed our investigation and, if necessary, have implemented any remediations or mitigations the potential security vulnerability may warrant.
Compensation
When our internal investigation, remediation, and mitigation steps are complete, Nucleus Security may, at its own discretion, provide compensation to the security researcher who made the initial disclosure. The forms of compensation, their amounts, and methods are determined solely by Nucleus Security.
No compensation will be provided unless all the following conditions are met.
- The detection and disclosure of the potential security vulnerability was conducted strictly in accordance with this program
- The potential security vulnerability was previously unreported/unknown to Nucleus Security
- The potential security vulnerability was kept confidential until after Nucleus Security completed all remediations or mitigations and expressly approved public disclosure
- The act of providing compensation will not violate any laws