Vulnerability Disclosure Policy
1. Introduction
NetHunt CRM is committed to ensuring data security by protecting information from unwarranted disclosure. This policy is introduced to give security researchers guidelines for conducting vulnerability discovery activity and to inform on how to report discovered vulnerabilities. This policy describes what systems and types of activities are covered under this policy, how to send vulnerability reports, and how long we ask to wait before publicly announcing discovered vulnerabilities.
2. Guidelines
We request that you:
- Notify us as soon as possible after you discover a real or potential security issue
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data
- Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or obtain data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems
- Once you’ve established that a vulnerability exists or encounter any sensitive data (including personal data, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and keep the data strictly confidential
- Do not submit a high volume of low-quality reports
3. Authorization
Security research conducted in accordance with this policy is considered authorized. We will work with you to understand and resolve the issue quickly, and NetHunt CRM will not recommend or pursue legal action related to your research.
4. Scope
This policy applies to the following systems and services:
- nethunt.com web site
- NetHunt CRM for Web
- NetHunt CRM mobile application for Android
- NetHunt CRM mobile application for iOS
- NetHunt CRM browser extension for Chrome
- NetHunt CRM browser extension for Safari
- NetHunt CRM integration components listed here: https://nethunt.com/integrations
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in third party solutions NetHunt CRM integrates with fall outside of this policy’s scope and should be reported directly to the solution vendor according to their disclosure policy (if any). If you aren’t sure whether a system or endpoint is in scope or not, contact us at security@nethunt.com before starting your research.
5. Types of testing
The following test types are not authorized:
- Network denial of service (DoS or DDoS) tests
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
6. Reporting a vulnerability
Please email security@nethunt.com to report any security vulnerabilities. We will acknowledge receipt of your vulnerability report the next business day and communicate with you further about our progress. Reports may be submitted anonymously.
7. Desirable information
In order to process and react to a vulnerability report, we recommend to include the following information:
- Vulnerability description
- Place of discovery
- Potential impact
- Steps required to reproduce a vulnerability (include scripts and screenshots if possible)
If possible, please provide your report in English.
8. Our commitment
If you choose to provide your contact information we commit to coordinating with you as openly and as quickly as possible. We will acknowledge within 3 business days that your report has been received.
To the best of our abilities we will keep you informed about vulnerability confirmation and remediation. We are opened to a dialogue for a discussion of issues.
- NetHunt Inc.
- 651 N Broad St, Suite 206
- Middletown, DE 19709
- USA
Last update: April 7, 2020
