Ethical hacking & NN Group’s Responsible Disclosure Policy
NN Group N.V. and its subsidiaries (hereafter NN Group) find it important that clients can use online services and applications safely and in a secure manner at all times. Despite our efforts to keep our IT systems secure, you may discover security vulnerabilities in our internet-facing IT environment. We would appreciate your help in disclosing this information to us in a responsible manner.
What to report?
The Responsibility Disclosure Policy reports vulnerabilities with regards to the safety of NN Group ser-vices offered through the internet. In the case that you have discovered a vulnerability in our system, please report this as quickly as possible by sending an email to email@example.com. Examples could be:
- Injection vulnerabilities (SQL, XPATH, etc.)
- Cross-site Scripting (XSS) vulnerabilities
- Encryption vulnerabilities
- Cross-site request forgery (CSRF)
- Privilege escalation
- Remote code execution
- Open redirect
The following finding types are specifically excluded from the program:
- Missing HTTP security headers, specifically:
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- SSL/TLS issues, e.g.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL/TLS weak/insecure cipher suites
- Descriptive error messages (e.g. stack traces, application or server errors)
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
- Fingerprinting/banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g. robots.txt, readme.txt, changes.txt)
- CSRF on forms that are available to anonymous users, (e.g. the contact form)
- Logout Cross-Site Request Forgery (logout CSRF)
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Lack of Secure and HTTPOnly cookie flags
- Weak Captcha/Captcha Bypass
- Login or Forgot Password page brute force and account lockout not enforced
- OPTIONS HTTP method enabled
- HTTPS Mixed Content Scripts
- (Distributed) Denial of Service attacks
- Out of date software versions (exceptional cases may still be rewarded)
What is firstname.lastname@example.org not used for?
- Reporting complaints about NN Services & Products
- Questions and complaints about the availability of NN web applications
- Reporting fraud or presumption of fraud
- Reporting fake emails, spam or phishing emails
- Reporting malware
How can vulnerabilities be reported?
A vulnerability can be reported by email: email@example.com Please ensure that your email is written in clear and understandable English. Particularly include the following in your email:
- The entire URL
- Description of the vulnerability
- The steps that are performed (Proof of Concept)
- A possible attack scenario
Our specialists will read your report and start working on it immediately. If you have found a vulnerability in our web applications, please do not hesitate to contact us.
Am I eligible for a reward?
If you report vulnerabilities, you may be eligible for a financial reward. The amount of the reward will be determined based on the severity of the vulnerability and the quality of the report.
You will be eligible for a reward if:
- The web application belongs to NN Group
- The vulnerability has NOT been reported before by a different ethical hacker
- The finding is well-described and documented (Preferably contains Proof of Concept)
- The finding is valid
Security vulnerabilities in third-party websites and applications that integrate with NN Group's IT envi-ronment do not qualify for a reward.
When researching our systems, always act in good faith. You must use discovered vulnerabilities only for your own investigation. Keep the discovered vulnerability confidential until you have agreed upon when and how to disclose the vulnerability with NN Group.
We do not allow you to do security research on our systems and (online) applications that would mate-rially adversely impact the performance or availability, such as:
- (Distributed) Denial of Service (D)DoS attacks
- Exploits to edit, corrupt or delete data
- Any activity that could disrupt our (online) services
- Changes to systems or configurations
- Placement of backdoors in our systems
- Brute-forcing attacks
- Social engineering
- Penetrating the system more than required
- Sharing gained access with others
- Use of automatic web application scanners (Burp Suite, OWASP ZAP, Webinspect, etc.)
- In case you are eligible for a reward, we require your personal information
- In case your reported vulnerability is reported by others as well, the reward will be granted to the first reporter only
What will we do with your finding?
Every report is handled with the same attention. We will respond to you within five working days of receiving your report. We will review, verify and investigate the vulnerability and reward you if the report is eligible. We will fix the vulnerability and may ask you for feedback about the intended solution.
We respect your privacy. We will only use your contact information for communication with you during the responsible disclosure procedure and also to grant the reward if you are eligible. We will not pass on your personal details to third parties without permission.
Can I report anonymously?
It is possible to report vulnerabilities anonymously; you do not have to supply contact information when you report a vulnerability. Please be aware that when you report anonymously, we cannot contact you about the credits or your potential reward.
We would like to point out that this responsible disclosure policy is governed by Dutch law. If you are located in a different country, keep the applicable local law in mind, as other countries may have different laws regarding responsible disclosure. This could mean that you will be subject to local legal recourse or may be subject to agencies enforcing such different local law , even if NN Group does not seek legal recourse or file a report at a law enforcement agency.
If you discover a vulnerability and investigate it, you might perform actions that are punishable by law. If you abide by the rules of our responsible disclosure policy for reporting the vulnerabilities in our systems, we will not report your offence to the authorities and will not submit a claim.
It is important for you to know, however, that the public prosecutor’s office (the “Openbaar Ministerie”) – not NN Group – will decide whether or not you will be prosecuted, regardless of whether NN Group files a report to the Dutch authorities. NN Group neither represents nor guarantees that you will not be prosecuted if you commit a criminal offence when investigating a vulnerability.
The National Cyber Security Centre of the Ministry of Security and Justice in the Netherlands has created guidelines for reporting weaknesses in IT systems. Our rules are based on these guidelines.