Disclosure Policy

NSP Security believes that the disclosure of vulnerabilities is essential for improving the quality of our products and services, the safety of our customers, and to ensure they are aware of their choices to preserve their specific interests. We value insight from the security research community and welcome disclosure and collaboration with it. We value the insight and commitment of security researchers and other vulnerability investigators to make the world a safer place by identifying security solution vulnerabilities and providing mechanisms to privately report them with legitimacy and integrity. 

Our approach

Responsible disclosure ensures that security access infrastructure is tested and proven reliable. Moreover, the commitment to mitigate vulnerabilities is reassuring for our customers and the entire security industry.

The following is NSP Security’s disclosure policy:

• NSP Security will disclose known vulnerabilities and their fixes to its customers in a manner that protects NSP Security and its customers. Disclosures made by NSP Security will include credit to the person who first identified the vulnerability unless otherwise requested by the one who reported it.
• NSP Security is open to communication. We will work with researchers who come to us with a shared interest to improve security and coordinate the distribution of information that includes both the vulnerability and the solution that addresses it.
• NSP Security will publicly acknowledge in a written advisory the work of a security researcher who brings the company valid information about a vulnerability, as long as:- it is brought to us privately,
  – they work with us to coordinate the public announcement after a fix or patch has been developed and fully tested.
  – they provide us with a reasonable amount of time to ensure that it is effective and can be deployed by NSP Security and its customers.
• Security researchers are allowed to post a link to the NSP Security advisory on their own websites as recognition for minimising risks for the greater good and helping end-users protect themselves.
• We ask the security researcher community to work with NSP Security to coordinate the public disclosure of a vulnerability. Pre-maturely revealing a vulnerability publicly without first notifying us could hurt organisations, exposing sensitive information and putting people and businesses in danger of malicious attacks.
• NSP Security advocates a two-step process: first, private disclosure of a potential vulnerability to us. Once the vulnerability is validated, resolved, and we have provided a reasonable time to deploy, we will coordinate the public disclosure, which includes the recognition of the security researcher’s discovery, confirming that credit is given to the right person(s).
• We also ask that researchers allow NSP Security sufficient time to investigate, validate and remediate reported vulnerabilities, based on their complexity and severity. We will communicate expected timelines, changes and collaborate where possible. In addition, we request that researchers do not perform Denial of Service mechanisms, compromise NSP Security user infrastructure or personal information.
• NSP Security applies industry best practices for coordinated disclosure of vulnerabilities to protect the security ecosystem. We strive to ensure that customers get the highest quality information possible. We look to drive public discourse about ways to improve products, protocols, methodologies, standards and solutions.

Discovered an issue?

• If you believe you have discovered a vulnerability, read our Reporting Guidelines page for instructions on how to contact the NSP Security Incident Response Team to report your finding privately.