Vulnerability Disclosure Policy

We attach great importance to the security of our IT systems and web applications that we provide for our customers and partners. Despite adhering to best practices in IT security, vulnerabilities can still occur in our systems.

If you discover a vulnerability in our systems or applications, we ask that you inform us as soon as possible so that we can fix it as quickly as possible.

Reporting a vulnerability

If you discover a vulnerability in our systems, we ask you to observe the following rules:

  • Before reporting, please inform yourself about the cases that do not fall within the scope of our Vulnerability Disclosure Policy and will not be processed in this context (see below, “Non-qualified vulnerabilities”).
  • Send us your findings on the vulnerability by email to “security@next-scientific.com”.
  • Provide us with sufficient information so that we can reproduce and analyze the vulnerability. Usually, the address or URL of the affected system and a description of the vulnerability are sufficient. However, complex vulnerabilities may require further explanations and documentation, such as affected components, impacts, and possibly screenshots or proof-of-concept code.
  • Provide us with a contact option for any questions.
  • Do not share the vulnerability or related information with third parties or the public until we have given you permission to do so. This also includes the preparation of vulnerability reports using third-party software.
  • Do not exploit the vulnerability by, for example, altering, deleting data, uploading code, sending spam, or causing mass registrations. Only access data necessary to demonstrate the vulnerability and do not disclose any sensitive or personal data.
  • Avoid any action that could cause unnecessary damage or impairment to our systems, data, or users.
  • Do not conduct any social engineering (e.g., phishing), (Distributed) Denial of Service, spam, or other attacks on our company or our employees.

Our Commitments and Promises

If you report a vulnerability according to this Vulnerability Disclosure Policy, we promise you that we will:

  • …process your report as quickly as possible and provide you with feedback.
  • …not initiate or allow any legal action against you as long as you adhere to the rules of this VDP. This does not apply if criminal intentions are evident.
  • …strive to fix the vulnerability as quickly as possible and keep you informed of the progress.
  • …possibly grant you recognition for your report, unless you do not wish for it.

We thank you for your responsible and cooperative attitude in improving IT security in our company.

Non-qualified vulnerabilities

This Vulnerability Disclosure Policy only applies to certain types of vulnerabilities in our systems that enable potential harm or misuse. The following vulnerabilities or attacks do not fall under our policy and will not be recognized or rewarded:

  • Attacks that require physical access to a user’s device or network.
  • Reports from automated tools or scans that do not contain sufficient explanation or documentation.
  • Forms without CSRF tokens unless they have high criticality (CVS score over 5).
  • The use of insecure or “weak” encryption methods or algorithms that do not have a practical impact on security.
  • Missing security headers that do not have a direct impact on the exploitability of a vulnerability.
  • Best practices or general recommendations for improving security, such as certificate pinning or security headers, that do not address a specific vulnerability.