At NT-ware, we view the security of our IT systems seriously and value the security community. Disclosure of security weaknesses helps us to safeguard the security and privacy of our users by acting as a trusted partner. This policy underlines the requirements and mechanisms of NT-ware’s IT Systems and Product Vulnerability Disclosure. It enables researchers to report security vulnerabilities safely and ethically to the NT-ware IT Operations team.
What is in scope?
NT-ware invites security researchers to help strengthen NT-ware and our product offering by proactively reporting security vulnerabilities and weaknesses. NT-ware being part of the Canon Group will work in combination with the Canon PSIRT team an all submissions.
Domains in scope
The table below lists all domains included as part of the NT-ware Vulnerability Disclosure Policy.
Products in scope
Reporting a vulnerability
You can report weaknesses to us by email: email@example.com stating concisely what weakness(es) you have found with as much detail as possible together with any evidence you might have. Be aware that NT-ware is part of the Canon Group and as such works closely with the Canon PSIRT team. Responses to submitted VDP’s may come from either organization as part of our triage and response process
Please include the following information in your email:
What is not acceptable?
What do we do with your report?
Potentially illegal actions
If you discover a weakness and investigate it, you should be aware that you might perform actions punishable by law. Provided you follow the rules and principles below when reporting weaknesses in our IT systems, NT-ware will not report your offense to the authorities and will not submit a claim.
However, you need to know that the public prosecutor's office – not NT-ware – may decide that you should be prosecuted, even if NT-ware has not reported your offense to the authorities i.e. NT-ware cannot guarantee that you will not be prosecuted if you commit a punishable offense when investigating a weakness.
The National Cyber Security Centre of the Ministry of Security and Justice Netherlands has created guidelines for reporting weaknesses in IT systems. NT-ware’s rules are based on these guidelines. (Home - National Cyber Security Centre)
Take responsibility and act with extreme caution. When investigating the matter, only use methods or techniques necessary to find or demonstrate weaknesses.
You must not:
Frequently asked questions
Do you have a bug bounty program?
We do not conduct a bug bounty program. Accordingly, please acknowledge that there is no expectation of payment or compensation and that any future right to claim related to the submitted report is waived.
Am I allowed to publicize the results of my investigation?
Never publicize weaknesses in NT-ware IT systems and products or your research without consulting us first. Canon PSIRT and the NT-ware teams will work with you to ensure you are appropriately recognized in any public notifications for your efforts.
Can I report a weakness anonymously?
Yes you can. You do not have to disclose your name and contact details when you report a weakness. Please realize, however, that NT-ware will be unable to consult with you regarding follow-up actions or further collaboration.