Responsible Disclosure Policy

We thank you very much for your willingness and honesty in finding security vulnerabilities in our systems and your desire to report it to us professionally and honestly, without malicious intentions.
 
Below you can see our RDP (responsible disclosure policy). 
 
Please note that this policy is a living document and check it regularly for changes.
 
Thank you and stay healthy!

At NFON, we are committed to ensuring the security of our information, systems and services and value the role of security researchers in helping us mitigate cyber security risk.
 
If you believe you have discovered a suspected cyber threat or security vulnerability that affects the confidentiality, integrity or availability of NFONs information, systems or services, please submit a report to our security team via one of the methods below.
 
For the protection of our customers, we treat all information regarding a vulnerability as confidential and ask that you do not publicly disclose, discuss or confirm the details of any suspected security issues.

While we encourage security research on our products and services, the following types of research are strictly prohibited:

1. Accessing or attempting to access accounts or information you are not authorized to
2. Any attempt to modify or destroy information
3. Sending or attempting to send unsolicited or unauthorized E-Mail or other types of messages
4. Conducting social engineering (including phishing) on Group employees, contractors, customers, or any other related party
5. Using automated tools for portscans, bruteforce, directory search, domain/subdomain search, fuzzing, or scanning in general
6. Posting, transmitting, uploading, linking to, sending or storing malware that could impact our services, products, or customers

Any NFON owned website, web-service or mobile application that handles reasonably sensitive user data is intended to be in scope. Examples include virtually all content in the following domains:

• *.nfon.com
• *.nfon.net
• *.cloudya.com
• *.ncontrol.de
• *.mynfon.net
• *.cloud-cfg.com
• *.kommunikations-dienste.de

The following vulnerabilities are considered out of scope for our Responsible Disclosure Program:

1. Vulnerabilities identified with automated tools (including web scanners) that do not include proof-of-concept code or a demonstrated exploit.
2. Third-party applications, websites or services that integrate.
3. Discovery of any in-use service (vulnerable third-party code, for example) whose running version includes known vulnerabilities without demonstrating an existing security impact.
4. Missing Security Best Practices, i.e., Security Headers, Mixed content, SSL/TLS, etc.
5. Rate limiting issues
6. Password Policy
7. CSRF vulnerabilities without any impact
8. Host header injection without proof of user data extraction
9. DoS/DDoS

You can responsibly disclose suspected vulnerabilities to the NFON Cyber Security Team by emailing security-incident(at)nfon(dot)com

To assist us in investigating your report, we recommend you follow the structure:

1. Affected product or service, including affected URL(s)
2. Your name and contact information (if you do not wish to provide your personal information, you may contact us anonymously, or by using a pseudonym)
3. Date, time and time zone of when the suspected vulnerability was discovered
4. IP address used when the suspected vulnerability was discovered
5. Steps to reproduce the vulnerability (clear proof of concept)

To ensure a collaborative approach, please respect the guidelines set out below

1. You are contacting us in your personal capacity and are at least 18 years of age or have your parent or guardian’s permission to contact us.
2. You will not engage in any activity that could harm NFON, our customers, employees, services and/or assets.
3. You will not share, compromise, or disclose any personally identifiable information
4. You will not use social engineering or brute force methods to attempt to obtain confidential credentials
5. You agree to comply with all applicable laws and regulations in connection with your security research activities
6. You will allow us a reasonable opportunity to investigate and respond prior to contacting anyone else about this matter.