Vulnerability Disclosure Programs (VDP)
Introduction
Nicolaudie Group welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, what you can expect from us.
Systems in Scope
This policy applies to any digital assets owned, operated, or maintained by Nicolaudie Group and its affiliated brands, websites & companies.
Out of Scope
Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority. In addition to customer applications, any 3rd party providers and services are also excluded.
These 3rd party services include, but are not limited to:
- Assets or other equipment not owned by parties participating in this policy.
- Stripe
- Fastspring
- Freshping
- FreshStatus
- Google Analytics
- Google Tag Manager
- Google Maps
- fonts.googleapis.com
- cdn.jsdelivr.net
- storage.googleapis.com
Our Commitments
When working with us, according to this policy, you can expect us to:
- Respond to your report promptly, and work with you to understand and validate your report;
- Strive to keep you informed about the progress of a vulnerability as it is processed;
- Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and
- Extend Safe Harbor for your vulnerability research that is related to this policy.
Severity Framework and Rating
Nicolaudie Group utilizes the Common Vulnerability Scoring System (CVSS) as the primary method for evaluating security risks and prioritizing identified vulnerabilities. CVSS stands as an industry-standard metric for vulnerability assessment. For further insights into CVSS, visit
FIRST.org.
Occasionally, we may incorporate supplementary factors beyond the CVSS score to ascertain the severity level of a vulnerability, in accordance with the
CVSS v3.1 specification. Should such an approach be adopted, we will transparently outline the additional factors considered and the rationale behind them when publicly disclosing the vulnerability.
Below, we offer several examples of vulnerabilities and their corresponding severity levels. It's essential to note that these ratings serve as a general reference and do not account for the specifics of your system configuration.
|
Name |
CVSS 3.x |
Resolution timeframe |
Description (non-exhaustive list) |
P1 |
Critical |
9.0 - 10 |
Within 1 weeks of being verified |
- Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.
- Critical Data Exposure: Unauthorized access to sensitive data, critical security misconfiguration.
- Unauthenticated RCE: Exploitable without authentication, compromising the entire system.
|
P2 |
High |
7.0 - 8.9 |
Within 2 weeks of being verified |
- The vulnerability is difficult to exploit.
- Exploitation could result in a significant data loss or downtime.
- Limited Remote Code Execution (RCE): RCE with restrictions, SQL injection with broader scope.
- Privilege Escalation: Exploiting user privileges, gaining unauthorized access to sensitive data.
|
P3 |
Medium |
4.0 - 6.9 |
Within 4 weeks of being verified |
- Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.
- Denial of service vulnerabilities that are difficult to set up.
- Exploits that require an attacker to reside on the same local network as the victim.
- Vulnerabilities where exploitation provides only very limited access.
- Vulnerabilities that require user privileges for successful exploitation.
- Moderate XSS: Persistent XSS, CSRF with limited impact.
- Limited SQL Injection: SQL injection with limited scope, XSS with moderate impact.
|
P4 |
Low |
0.1 - 3.9 |
Within 20 weeks of being verified |
- Informational or configuration issues that pose minimal risk.
- Minor issues that require local access or unlikely to be exploited.
- Information Disclosure: Exposing non-sensitive information through error messages or banners.
- Configuration Weaknesses: Lack of proper encryption (SSL/TLS), directory listing.
- Weak Authentication: Weak password policy, missing multi-factor authentication.
- Minor Cross-Site Scripting (XSS): Reflected XSS with low impact, weak session management.
|
P5 |
N/A |
0 |
|
|
Our Expectations
In participating in our vulnerability disclosure program in good faith, we ask that you:
- Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
- Report any vulnerability you’ve discovered promptly;
- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
- Use only the Official Channels to discuss vulnerability information with us;
- Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
- If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
- You should only interact with test accounts you own or with explicit permission from the account holder; and
- Do not engage in extortion.
Official Channels
Please report security issues providing all relevant information via:
The more details you provide, the easier it will be for us to triage and fix the issue.
Safe Harbor
When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:
- Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
- Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.