Responsible Disclosure Policy

At noventive, the security of our systems is a top priority. But no matter how much effort we put into system security, vulnerabilities may still exist.

If you discover a vulnerability, we'd like to hear about it so we can take action to fix it as soon as possible. We would like you to help us better protect our customers and our systems.

Please proceed as follows:

  • Email your results to security@noventive.com. Encrypt your results with our PGP key to prevent this critical information from falling into the wrong hands.
  • Do not exploit the vulnerability or problem you have discovered, for example, by downloading more data than necessary to confirm the vulnerability, or by deleting or modifying other people's data.
  • Do not share the problem with others until it is resolved,
  • Do not use physical security attacks, social engineering, distributed denial of service, spam, or third-party applications; and
  • Provide sufficient information to reproduce the problem so that we can resolve it as soon as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability are sufficient, but complex vulnerabilities may require further explanation.

What should be reported

Examples of vulnerabilities include:

  • Remote code execution
  • Cross Site scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • SQL injection
  • Weaknesses in encryption
  • Bypass authentication and authorization


What should the message not contain

Please do not report the following items:

  • Vulnerabilities without a sufficiently described proof of a possible exploitation
  • (Missing) SPF/DKIM/DMARC entries
  • Cross Site Request Forgery (CSRF) vulnerabilities on static pages (only pages behind a login)
  • Redirects from HTTP to HTTPS
  • HTML Charsets
  • Cookie without HttpOnly flag
  • Missing HTTP Strict Transport Security (HSTS)
  • Clickjacking or non-existent X-Frame options on pages without login option
  • The outdated version of our server or third party application without any proof of concept about the use of this version
  • The use of insecure SSL/TLS ciphers
  • Distributed Denial of Service Attacks
  • Spam or social engineering techniques
  • Reports from rule scans such as port scanners

What we promise:

  • We will evaluate your report within 3 business days and respond with an estimated resolution date,
  • If you have followed the above instructions, we will not take legal action against you in relation to the notification.
  • We will keep your message strictly confidential and will not share your personal information with third parties without your consent,
  • We will keep you updated on the progress in resolving the issue,
  • When publishing the reported vulnerability, we will name you as the discoverer of the issue (unless you request otherwise) and
  • As a thank you for your assistance, we may pay a premium for each report of a security issue we are not yet aware of. The amount of the reward depends on the severity of the gap and the quality of the report.


We strive to resolve all issues as quickly as possible, and we would like to play an active role in the final release of the issue after it is resolved.


This test is based on the Responsible Disclosure example template, authored by Floor Terra and published under the Creative Commons Attribution 3.0 Unported license.

CC-BY Badge
Deutsch
Englisch