Have you found a security issue or vulnerability with our website or products? Please let us know as soon as possible.
We care about our systems, our network, and our products; we want to keep them safe. However, vulnerabilities are discovered all the time. If you have found an issue, please let us know as soon as possible.
Our vulnerability disclosure policy is not an invitation to actively scan our applications or systems.
Please be aware that we have our own automated security processes, which means that active scanning will be detected. Do not use automated vulnerability scanners, as they may disrupt our applications or server's availability and our Security Operation Centre (SOC) would have to investigate. This could lead to unnecessary costs and divert them from their other work. However, if you have found an issue you consider has a security impact, we would like to hear from you as quickly as possible so that we can fix it.
If you believe you have discovered a security issue, please:
- E-mail your report to us at vdp@nccgroup.com immediately.
- Give us enough information so that we can reproduce the issue and fix it as quickly as possible. The IP address or the URL of the system, along with a good description of the vulnerability is usually enough.
- Do not abuse the issue by downloading, changing, or deleting our data. If we need further information to confirm what you are describing, we will email you.
- Do not share or publicise the issue with anyone else until it has been fixed.
- Do not try to get into our buildings or offices.
- Do not conduct social engineering on our employees or contractors.
What we will do if you report an issue:
- We will take your report seriously and investigate even a suspicion of a vulnerability.
- We will respond within five business days. Do remember that there are different holidays in different countries so it may be longer. Please be patient.
- We will evaluate the behaviour you reported and investigate if it is already known to us. If valid, we will share how long it may take to fix.
- We will keep you informed of our progress to fix the issue.
- We will not share your personal information with third parties without your permission, unless required to do so by law or regulation.
- We cannot guarantee that no legal action will be taken if we suspect you have exploited the vulnerability or have shared information with third parties. Of course, the accidental discovery of an issue or testing in good faith will not lead to prosecution.
- Once the issue is fixed, we would like to be involved in any publication about it. We have a global presence and a wide audience. We believe that working together on a public disclosure is the best way to obtain recognition for your hard work.