Simple. Serverless. Secure. uniFLOW Online
Cloud-based Secure Printing, Scanning and Accounting uniFLOW Online
Secure Cloud Printing and Scanning for Business uniFLOW Online
Control Access. Control Cost. uniFLOW Online Express

Vulnerability Disclosure Policy

At NT-ware, we view the security of our IT systems seriously and value the security community. Disclosure of security weaknesses helps us to safeguard the security and privacy of our users by acting as a trusted partner. This policy underlines the requirements and mechanisms of NT-ware’s IT Systems and Product Vulnerability Disclosure. It enables researchers to report security vulnerabilities safely and ethically to the NT-ware IT Operations team.

This policy applies to everyone i.e. to NT-ware employees and any party associated with NT-ware.

Scope

The NT-ware IT Operations Team is committed to protecting NT-ware's customers and employees. As part of this commitment, we invite security researchers to help protect NT-ware by proactively reporting security vulnerabilities and weaknesses. You can report the details of your finding(s) to: product-security@nt-ware.com

Domains in scope

The table below lists all domains included as part of the NT-ware Vulnerability Disclosure Policy.

 

*.nt-ware.com*nt-ware.net
*.uniflowonline.com*.uniflow.global
*.buildit-global.com*uniflow-demo.com
*.ulmtracker.com*.syshub.global

uniFLOW Online product in scope

For more information, click here: NT-ware and uniFLOW Online DNS and IP addresses

Reporting a vulnerability

You can report weaknesses to us by email: product-security@nt-ware.com stating concisely what weakness(es) you have found with as much detail as possible together with any evidence you might have. N.B. be aware that NT-ware security specialists will review the message. 

Please include the following information in your email:

  • The type of vulnerability.
  • The step-by-step instructions as to how to reproduce the vulnerability.
  • The approach you undertook.
  • The entire URL.
  • Objects (as filters or entry fields) possibly involved.
  • Screen shots are highly appreciated.
  • Please provide your IP address. This will be confidential; NT-ware will use this information to track your testing activities and review the logs.

What is not acceptable?

  • Volumetric/ denial of service vulnerabilities i.e. simply overwhelming our service with a high volume of requests.
  • TLS configuration weaknesses e.g. "weak" cipher suite support, TLS1.0 support, sweet32 etc.
  • "Self" XSS.
  • Mixed Content Scripts on www.nt-ware.*
  • Insecure Cookies on www.nt-ware.*
  • CSRF and CLRF attacks where the resulting impact is minimal.
  • HTTP Host Header XSS without working proof-of-concept.
  • Incomplete/ missing SPF/ DMARC/ DKIM.
  • Social engineering attacks.
  • Security bugs in third-party websites that integrate with NT-ware websites.
  • Network data enumeration techniques e.g. banner grabbing, publicly available server diagnostic pages.
  • Reports indicating that our services do not fully align with "best practice."
  • Automated software scanners output.

What do we do with your report?

NT-ware IT Operations Team will investigate your report and contact you within five working days.

Your privacy

We will only use your personal details when considering what action to take based on your report. We will not share your personal information with others without your express permission.

Rules

Potentially illegal actions

If you discover a weakness and investigate it, you should be aware that you might perform actions punishable by law. Provided you follow the rules and principles below when reporting weaknesses in our IT systems, NT-ware will not report your offense to the authorities and will not submit a claim.

However, you need to know that the public prosecutor's office – not NT-ware – may decide that you should be prosecuted, even if NT-ware has not reported your offense to the authorities i.e. NT-ware cannot guarantee that you will not be prosecuted if you commit a punishable offense when investigating a weakness.

The National Cyber Security Centre of the Ministry of Security and Justice Netherlands has created guidelines for reporting weaknesses in IT systems. NT-ware’s rules are based on these guidelines. (Home - National Cyber Security Centre)

General principles

Take responsibility and act with extreme caution. When investigating the matter, only use methods or techniques necessary to find or demonstrate weaknesses.

You must not:

  • Violate any law or regulations.
  • Access unnecessary, excessive or significant amounts of data.
  • Copy more than you need. If one record is sufficient, do not go any further.
  • Modify data in NT-ware's systems or services.
  • Use high-intensity invasive or destructive scanning tools to identify vulnerabilities.
  • Attempt or report any form of denial of service e.g. overwhelming a service with a high volume of requests.
  • Disrupt or alter NT-ware's services, systems or information.
  • Demand financial compensation in order to disclose any vulnerabilities.
  • Publicly disclose any resolved vulnerability report without prior written consent from NT-ware.
  • Use any weaknesses you detect for purposes other than your own research.
  • Use social engineering to gain access to a system.
  • Install any back doors – not even to demonstrate the vulnerability of a system - as they will weaken the system's security.
  • Use brute force techniques e.g. repeatedly entering passwords to gain access to systems.
  • Use Denial of Service (DoS) type of attack to gain access.

You must:

  • Securely delete all data retrieved during your research as soon as it's no longer needed or within one month of resolving the vulnerability - whichever occurs first or as otherwise required by data protection law.
  • Always comply with data protection rules and do not violate the privacy of NT-ware's users, staff, contractors, services or systems i.e. you must not share, redistribute or fail to properly secure data retrieved from the systems or services.
  • Only infiltrate a system if it is really necessary to do so.
  • Do not share access with others if you manage to infiltrate a system.

Frequently asked questions

Will I receive a reward for my investigation?

No, you will not receive any compensation.

Am I allowed to publicize the results of my investigation?

Never publicize weaknesses in NT-ware IT systems and products or your research without consulting us first via email: product-security@nt-ware.com. Please consult with our IT Operations Team to work together towards publication so that we can collaborate to prevent third parties/ criminals from abusing this information.

Can I report a weakness anonymously?

Yes you can. You do not have to disclose your name and contact details when you report a weakness. Please realize, however, that NT-ware will be unable to consult with you regarding follow-up actions or further collaboration.

What shouldn't I use this email address for?

The email: product-security@nt-ware.com is not intended for the following:

  • To submit complaints about NT-ware products or services.
  • To submit questions or complaints about the availability of NT-ware websites.
  • To report fraud or suspicion of fraud.
  • To report spam or phishing emails.
  • To report viruses.