Skip to main content

Nordlox Legal Hub:

Responsible Disclosure

Responsible Disclosure Policy

At Nordlox, the security and privacy of our customers are of utmost importance. We value the contributions of the security community and are committed to addressing vulnerabilities responsibly and promptly. If you have discovered a security vulnerability in our systems, we encourage you to report it to us in a responsible manner.

We prioritize the security and privacy of our customers and end-users. To maintain the integrity of our products and services, we commit to a responsible disclosure policy that ensures vulnerabilities are addressed promptly and effectively while fostering collaboration with the security research community.

Key Principles

  1. Transparent Disclosure:

    Nordlox will disclose known vulnerabilities and their fixes in a manner that safeguards end-users. When vulnerabilities are disclosed, we will credit the person who first identified the issue, provided they consent to being acknowledged.

  2. Collaboration with Researchers:

    We value security researchers who approach us with the shared goal of enhancing security. Nordlox works closely with researchers to ensure vulnerabilities and their solutions are communicated effectively and responsibly.

  3. Recognition and Acknowledgment:

    Although Nordlox does not offer a monetary bounty program, we publicly recognize researchers who privately report valid vulnerabilities and work with us to coordinate public announcements after fixes have been implemented.

  4. Promotion of Safe Practices:

    Security researchers are encouraged to share links to Nordlox advisories on their own platforms as acknowledgment for their contributions to user safety and risk minimization.

Responsible Disclosure Guidelines

We request the security research community to collaborate with Nordlox for the responsible disclosure of vulnerabilities. Premature public disclosure without prior notification to Nordlox could harm end-users by exposing sensitive data and increasing the risk of malicious attacks.
To this end, Spyman Security ApS advocates a two-step process:

  • Private Reporting: Researchers privately disclose potential vulnerabilities to Spyman Security ApS.
  • Coordinated Disclosure: Once validated and resolved, Nordlox will coordinate public disclosure, giving full credit to the researcher(s) who identified the issue.

Expectations and Requests

  1. Transparency in Communication:

    Nordlox will provide regular updates on the status of reported vulnerabilities, including expected timelines and changes.

  2. Avoid Harmful Testing:

    We request researchers refrain from using Denial of Service tools or compromising user infrastructure or personal data during testing. For such testing needs, we can provide testable products in non-production environments where feasible.

Reporting a Vulnerability

If you believe you have identified a security issue, please contact us by sending an email to security@nordloxsecure.com with the following details:

  1. A detailed description of the vulnerability.
  2. Steps to reproduce the issue, including any relevant URLs or system configurations.
  3. Proof-of-concept code or screenshots (if applicable).
  4. Your contact information for follow-up (optional but helpful).

We ask that you:

  1. Refrain from disclosing the vulnerability publicly until we have addressed it.
  2. Avoid exploiting the vulnerability beyond what is necessary to demonstrate its existence.
  3. Do not access or modify data that does not belong to you.

Our Commitment

Commitment to Industry Standards

Nordlox adheres to industry best practices for coordinated vulnerability disclosure. This ensures customers receive accurate and high-quality information while promoting public discourse on improving products, standards, and solutions.

Building Partnerships with Researchers

As part of our responsible disclosure program, Nordlox seeks to build relationships with security researchers who align with our shared responsibility approach. Together, we can ensure vulnerabilities are disclosed responsibly and end-users are protected.

When you report a vulnerability to Nordlox, we pledge to:

  1. Acknowledge your report within 48 hours.
  2. Investigate the issue and provide an estimated timeline for resolution.
  3. Keep you informed of our progress throughout the resolution process.
  4. Credit you for your discovery (if you wish) on our Hall of Fame page.

Scope

The following areas are in scope for vulnerability reporting:

  1. Nordlox websites and applications.
  2. Nordlox APIs and services.
  3. Any publicly accessible Nordlox infrastructure.

Out of scope:

  1. Issues related to outdated browsers or unsupported platforms.
  2. Social engineering attacks or phishing attempts.
  3. Denial of Service (DoS) attacks.

Legal Safe Harbor

We promise not to take legal action against researchers who identify and report vulnerabilities responsibly, provided they follow the guidelines outlined in this policy.

Thank you for helping us make Nordlox a safer platform for everyone. We deeply appreciate your time and expertise in keeping our systems secure.

Update Informations

Last Updated: [lmt-post-modified-info]

Version 1.0 February 2025

Table of Contents

Table Of Contents (Index)