Contact Us

Vulnerability Disclosure Program

Network Optix, Inc.

TERMS & CONDITIONS

The Network Optix Vulnerability Disclosure Program Terms and Conditions (“Terms”) cover your participation in Network Optix Vulnerability Disclosure Program (the Program”). These Terms are between you and Network Optix (“us”, we”). By submitting any vulnerabilities to Network Optix or otherwise participating in the Program in any manner, you accept these Terms.

 


PROGRAM OVERVIEW

The Program enables users to submit vulnerabilities and exploitation techniques (“Vulnerabilities“) to Network Optix about eligible Network Optix products and services (“Products“). Network Optix may change or cancel this Program at any time, for any reason.

 


CHANGES TO THESE TERMS

We may change these Terms at any time. Participating in the Program after the changes become effective means you agree to the new Terms. If you don’t agree to the new Terms, you must not participate in the Program.

If you wish to opt-out of the Program and not be considered for Bounties, contact us at security@networkoptix.com. Opting out will not affect any licenses granted to Network Optix in any Submissions provided by you.

 


PROGRAM ELIGIBILITY

You ARE eligible to participate in the Program if you meet all of the following criteria:

  • You are 18 years of age or older. If you are at least 18 years old but are considered a minor in your place of residence, you must obtain your parent’s or legal guardian’s permission prior to participating in this Program; and

  • You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer’s rules for participating in this Program.

You ARE NOT eligible to participate in the Program if you meet any of the following criteria:

  • You are a resident of any countries under U.S. sanctions or any other country that does not allow participation in this type of program;

  • You are under the age of 18;

  • Your organization does not allow you to participate in these types of programs;

  • You are a public sector employee (government and education) and have not obtained permission from your ethics compliance officer to participate in the Program;

  • You are currently an employee of Network Optix, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee;

  • Within the six months prior to providing us your Submission you were an employee of Network Optix;

  • You currently (or within six months prior providing to us your Submission) perform services for Network Optix in an external staff capacity that requires access to the Network Optix Corporate Network, such as agency temporary worker, vendor employee, business guest, or contractor; or

  • You are or were involved in any part of the development, administration, and/or execution of this Program.

It is your responsibility to comply with any polices that your employer may have that would affect your eligibility to participate in the Program. If you are participating in violation of your employer’s policies, you may be disqualified from participating. Network Optix disclaims any and all liability or responsibility for disputes arising between an employee and their employer related to this matter.

There may be additional restrictions on your ability to enter depending upon your local law.

 


PROGRAM SCOPE

By participating in the Program, you will stick to the following Scope:

  • *.networkoptix.com

  • *.nxvms.com

For Vulnerabilities found on other sites than those listed above:

  • Do not exploit the Vulnerability or cause any changes to the site, or impact the site in any way.

  • Immediately notify security@networkoptix.com, following the Submission guidelines described below.

  • Where applicable, you may continue research on the list of approved sites listed above.

 

OUT-OF-SCOPE VULNERABILITIES

The following types of vulnerabilities aren’t in scope of the program because it’s either a known issue or intended behaviour:

  1. Missing security headers (X-Frame-Options, Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-XSS-Protection and as a consequence - attacks such as Clickjacking, etc.);

  2. Missing SMTP-related protection mechanisms (DMARC, DKIM, SPF, DNSSEC, MTA-STS, TLS-RPT).


SUBMISSION PROCESS

If you believe you have identified a Vulnerability that meets the applicable requirements set forth in the Terms, you may submit it to Network Optix through the process in accordance with the following process:

Each Vulnerability submitted to Network Optix shall be a "Submission." Submissions must be sent to security@networkoptix.com. In the initial email, specify the Vulnerability details, and entitle the subject as “Finding for Vulnerability Disclosure Program”. Please also include as much of the following information as possible:

  • Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.);

  • URL, that contains the bug;

  • Any special configuration required to reproduce the issue;

  • Step-by-step instructions to reproduce the issue;

  • Proof-of-concept or exploit code;

  • Impact of the issue, including how an attacker could exploit the issue;

We ask you to follow Coordinated Vulnerability Disclosure (CVD) provided below when reporting all Vulnerabilities to Network Optix. Submissions that do not follow CVD or are considered incomplete may not be eligible for recognition. Not following CVD could disqualify you from participating in the Program in the future or subject you to legal action from Network Optix.

Network Optix is not responsible for Submissions that we do not receive for any reason. If you do not receive a confirmation email after making your Submission, notify Network Optix at security@networkoptix.com to ensure your Submission was receieved.

There are no restrictions on the number of qualified Submissions you can provide.

 


COORDINATED VULNERABILITY DISCLOSURE

Under the principle of Coordinated Vulnerability Disclosure (CVD), researchers disclose newly discovered vulnerabilities in hardware, software, and services directly to the vendors of the affected product/service; to a national CERT or other coordinator who will report to the vendor privately; or to a private service that will likewise report to the vendor privately.

The researcher allows Network Optix the opportunity (at least 90 days) to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public. Network Optix continues to coordinate with the researcher throughout the vulnerability investigation and provides the researcher with updates on case progress. Upon release of an update, Network Optix may recognize the finder for the research and privately reporting the issue. If attacks are underway in the wild and the vendor is still working on the update, then both the researcher and Network Optix work together as closely as possible to provide early public vulnerability disclosure to protect customers. The aim is to provide timely and consistent guidance to customers to help them protect themselves.

For more information on CVD, please review the information provided in the following links:


SUBMISSION LICENSE

Network Optix is not claiming any ownership rights to your Submission. However, by providing any Submission to Network Optix, you:

  • grant Network Optix the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your Submission: (i) to use, review, assess, test, and otherwise analyze your Submission; (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part; and (iii) to feature your Submission and all of its content in connection with the marketing, sale, or promotion of this Program or other programs (including internal and external sales meetings, conference presentations, tradeshows, and screen shots of the Submission in press releases) in all media (now known or later developed);

  • agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above;

  • understand and acknowledge that Network Optix may have developed or commissioned materials similar or identical to your Submission, and you waive any claims you may have resulting from any similarities to your Submission;

  • understand that you are not guaranteed any compensation or credit for use of your Submission; and

  • represent and warrant that your Submission is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the Submission to Network Optix.


CONFIDENTIALITY OF SUBMISSIONS / RESTRICTIONS ON DISCLOSURE

Protecting customers is Network Optix highest priority. We endeavor to address each Vulnerability report in a timely manner.  While we are assessing and addressing each Vulnerability report, we require that all content in and related to Submissions remain confidential and not be disclosed to third parties or as part of paper reviews or conference submissions.

You can make available high-level descriptions of your research and non-reversible demonstrations after the Vulnerability is fixed. We require that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld for 30 days after the Vulnerability is fixed. Network Optix will notify you when the Vulnerability in your Submission is fixed.

VIOLATIONS OF THIS SECTION COULD DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM IN THE FUTURE AND SUBJECT YOU TO LEGAL ACTION FROM NETWORK OPTIX.

 


SUBMISSION REVIEW PROCESS

After a Submission is sent to Network Optix in accordance with Section above, Network Optix engineers will review the Submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your Submission, as well as on the number of Submissions we receive.

Network Optix retains sole discretion in determining which Submissions are qualified, according to the rules set forth in the Vulnerability Disclosure Program.

 

 

PUBLIC RECOGNITION

Network Optix at it is discretion may recognize you on web properties or other printed materials unless you explicitly ask us not to include your name.

 


PRIVACY

Network Optix respects the privacy rights of individuals. Those who wish to not be publicly recognized and notify us as described in the “Public Recognition” section will not be identified, directly or indirectly. Where it does not conflict with these Terms, our privacy policy, available at https://www.networkoptix.com/privacy-policy/ , shall also apply.

 


CODE OF CONDUCT

By participating in the Program, you will follow these rules:

  • Don’t do anything illegal. For example such types of research are strictly prohibited:

    • Any attempt to modify or destroy any data;

    • Executing or attempting to execute a denial of service (DoS) attack;

    • Sending or attempting to send unsolicited or unauthorised email, spam or any other form of unsolicited messages;

    • Conducting social engineering (including phishing) of Network Optix employees, contractors or customer or any other party;

    • Accessing or attempting to access accounts or data that does not belong to you;

    • Testing third party websites, applications or services that integrate with out services or products;

    • Posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software that could impact our services, products or customers or any other party;

    • Exfiltrating any data under any circumstances;

    • Any activity that violates any law.

  • Don't engage in any activity that exploits, harms, or threatens to harm children.

  • Don't send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.

  • Don't share inappropriate content or material (involving, for example, nudity, bestiality, pornography, graphic violence, or criminal activity).

  • Don't engage in activity that is false or misleading.

  • Don't engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others).

  • Don't infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others.

  • Don't help others break these rules.

If you violate these Terms, you may be prohibited from participating in the Program in the future.

 


NO WARRANTIES

NETWORK OPTIX, AND OUR AFFILIATES, RESELLERS, DISTRIBUTORS, AND VENDORS, MAKE NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAW, WE EXCLUDE ANY IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW. NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS, IF THEY ARE APPLICABLE.

 


MISCELLANEOUS

These Terms are the entire agreement between you and Network Optix for your Participation in the Program. It supersedes any prior agreements between you and Network Optix regarding your participation in the Program. All parts of these Terms apply to the maximum extent permitted by relevant law.

 


UNSOLICITED IDEAS

Other than your Submission, compliant with these terms, Network Optix does not consider or accept unsolicited proposals or ideas, including without limitation ideas for new products, technologies, promotions, product names, product feedback and product improvements ("Unsolicited Feedback"). If you send any Unsolicited Feedback to Network Optix through the Program or otherwise, Network Optix makes no assurances that your ideas will be treated as confidential or proprietary.

 


IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT SEND ANY SUBMISSIONS OR OTHERWISE PARTICIPATE IN THIS PROGRAM.

 

Network Optix Vulnerability Disclosure Program | Submission Form

 

To report a security vulnerability and agree to the terms & conditions, fill out the form below.

For the question “Title”, please provide a clear and concise summary of the type of vulnerability and the impacted asset.

For the question “Vulnerability Description”, please provide a detailed explanation of the vulnerability and clear steps on how to reproduce it.

We will use the email address you provide to contact you, acknowledge your report, ask any clarifying questions, etc.

Once you submit, a member of our Security Team will you reach out to you within one business day.