Responsible Disclosure

1. Introduction

Security is paramount at Netcorecloud. We are continuously working to ensure our systems and applications provide a safe environment for our customers. If a security researcher or member of the public responsibly identifies and shares a vulnerability with us, we value their contribution. We commit to working with them urgently to resolve the issue , and if they want, publicly acknowledge their contribution.

2. How to report an issue?

To report a security vulnerability on a Netcorecloud web property, we ask that you:

1. Contact us at once by emailing [email protected]. Please provide the necessary details (screenshots, videos, or text) so we can easily recreate the vulnerability.
2. Provide your contact information (email/phone number) so our security team can follow up quickly if they require further input to resolve the issue.

3. Dos and Don’ts:

• Please refrain from sharing any reported issues on public forums or with third parties until the vulnerability is completely mitigated. We trust that you will keep the information confidential while our security team works with you to estimate and commit to a resolution timeline.
• If the identified vulnerability can be used to potentially extract information of our customers or systems, or impair our system’s ability to function normally, then please refrain from actually exploiting such a vulnerability. This is absolutely necessary for us to consider your disclosure a responsible one.
• We appreciate ethical disclosure, but exploiting a vulnerability for illegal gain, accessing restricted information, or damaging our systems is strictly prohibited and will result in legal action.
• We strongly suggest researchers restrain from using any and all automated security tools and third-party websites for testing applications/infra belonging to Netcore. Any such incidents will be considered as an attack on our assets and will be met with legal recourse.
• Any issues that require Netcore employees/users to interact in order to exploit the issue are considered invalid.
• Any issues that require an outdated browser and application are considered invalid.
• Any issues that require physical access to our systems or infrastructure are considered invalid.
• Any issues that are already known to us internally or reported externally are considered duplicate. Your report should be the first to consider it a valid issue.
• We also request you not to attempt attacks such as DOS, social engineering, phishing, etc. These kinds of findings will not be considered valid, and if caught, might result in the suspension of your account and appropriate legal action as well.
• You are obliged to share any extra information if asked for, refusal to do so will result in invalidation of the submission.

4. Responsibility at our end

• We will be fast and will try to get back to you as soon as possible.
• We will keep you updated as we work to fix the bug you have submitted.
• Thank-You section will be updated only once the vulnerability has been fixed.

5. Acknowledgments

We do not have a bounty/cash reward program for such disclosures, but we express our gratitude for your contribution in different ways. For genuine ethical disclosures, we would be glad to publicly acknowledge your contribution in this section on our website. Of course, this will be done if you want a public acknowledgment.