Responsible Disclosure

nference recognizes that independent security researchers play a key role in keeping systems secure.

Please follow nference steps for Responsible Disclosure below to review your report about a potential vulnerability in our platform: 

• Do not: report on “Non-qualifying” submission types, publish the details of the issue in any public or private forum, share the details of the vulnerability with others until nference has had the opportunity to resolve the vulnerability, conduct testing which violates any law, or damages, deletes, or corrupts any data which you do not own, use automated tools/scanners or social engineering attacks (such as phishing), report Zero-day vulnerabilities or recently disclosed CVEs until 90 days have passed since patch availability, report multiple false positives, perform any activities which may negatively impact the nference platform and/or users, such as Brute Force or Denial of Service attacks.

If your report complies with all of the above requirements, please contact us immediately at responsible-disclosure@nference.net and:

• Include: a detailed description of the identified discovery with specific testing information and/or reproducible steps which outline the finding in detail.

Upon receipt of these details and completion of internal verification steps, nference will follow up with the reporting security researcher within a week regarding the estimated time to resolution.  The research will also be notified when the vulnerability has been addressed.

Acceptance of valid reports remains at the discretion of our team, however nference is happy to thank every individual researcher who responsibly and ethically submits a vulnerability report that helps us improve our overall security posture. 

When it is deemed to be appropriate, thanks from nference might be expressed monetarily or in the form of a gift and could include public recognition for the reporter.

Non-qualifying submission types:

The following typical low-impact submissions should not be reported unless you can demonstrate a chained attack with higher impact:

1. HTTP 404 codes/pages or other HTTP non-200 codes/pages.
2. Fingerprinting / banner disclosure on common/public services.
3. Disclosure of known public files or directories, (e.g. robots.txt).
4. TapJacking/Clickjacking and issues only exploitable through TapJacking/Clickjacking.
5. Social engineering of our service desk, employees or contractors
6. Missing HTTP security headers
7. Strict-Transport-Security
8. X-Frame-Options
9. X-XSS-Protection
10. X-Content-Type-Options
11. Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
12. Content-Security-Policy-Report-Only
13. SPF / DMARC / DKIM Mail and Domain findings.
14. Email Rate Limiting or Spamming
15. SSL Issues, e.g.
16. SSL Attacks such as BEAST, BREACH, Renegotiation attack
17. SSL Forward secrecy not enabled
18. SSL weak / insecure cipher suites
19. Non-application layer Denial of Service or DDoS
20. Cookie Issues
21. HTTPONLY
22. SECURE
23. multiple cookie setting
24. Anything to do with JSESSIONID
25. CSRF on forms that are available to anonymous users (e.g. login or contact form).
26. Logout / Login Cross-Site Request Forgery (logout CSRF).
27. Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
28. Error messages with non-sensitive data.
29. Username / email enumeration, password guessing and exposed API interfaces (like xmlrpc.php) in standard software (i.e. Wordpress)
30. Issues related to cross-domain policies for software such as Wordpress, Silverlight, etc. without evidence of an exploitable vulnerability