Responsible Disclosure - NDIX

Responsible Disclosure

At NDIX, we consider the security of our systems very important. Despite our care for the security of our systems, a weak spot might still occur.

If you have found a vulnerability in one of our systems, we would like to hear about it so we can take the required security measures as quickly as possible. We would like to work with you to better protect our customers and our systems.

We ask you:

  • Email your findings to responsibledisclosure@ndix.net,
  • Not to misuse the problem by, for example, downloading more data than necessary to demonstrate the leak or accessing, deleting or modifying third-party data,
  • Not to share the problem with others until it is resolved and to delete all confidential data obtained through the leak immediately after the leak is closed,
  • Not to use physical security attacks, social engineering, distributed denial of service, spam or third-party applications, and
  • To provide sufficient information to reproduce the problem so that we can fix it as soon as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be required for more complex vulnerabilities.

What we promise:

  • We will respond to your report within 5 working days with our assessment of the report and an expected date for a resolution,
  • If you have complied with the above conditions, we will not take any legal action against you regarding the report,
  • We will treat your report confidentially and will not share your personal information with third parties without your consent unless necessary to comply with legal obligations. Reporting under a pseudonym is possible,
  • We will keep you informed of the progress in resolving the problem,
  • In notifying you of the reported problem, we will, if you wish, include your name as the discoverer.

We aim to resolve all problems as soon as possible and we will be happy to be involved in any publication about the problem after it is resolved.

Welcome to our Hall of Fame

This is a space dedicated to recognizing and appreciating individuals who have contributed significantly to our digital safety by responsibly reporting vulnerabilities. We extend our heartfelt gratitude to these exceptional individuals, whose efforts have played a crucial role in strengthening our defenses against cyber threats. Their vigilance and commitment to responsible disclosure are invaluable in creating a more secure and resilient digital landscape.

2024

Name: Mridul Rastogi
Reported: Absence of MTA-STS record
Status: Ongoing

Name: Gaurang maheta
Reported: CVE-2017-5487
Status: Resolved