Bug bounty

Responsible disclosure and bug bounty

Introduction

We appreciate responsible disclosure of security vulnerabilities. This document details our stance on reported security problems. No matter how much effort we put into system security, bugs and accidents can happen and security vulnerabilities can be present. If you discover a vulnerability, we would like you to inform us so we can take appropriate action as quickly as possible.

Please

• Email your findings to security@nextmessage.nl.
• Do not take advantage of the vulnerability or problem you have discovered. For example, by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data.
• Do not reveal the problem to others until it has been resolved. We take all reports extremely seriously and will get back to you as soon as possible.
• Do not use attacks on physical security, social engineering, (distributed) denial of service, spam, or applications of third parties.
• Provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible.
• Use “SECURITY_RESEARCH” as company name when creating a new Nextmessage account for security research purposes

We promise

• To respond to your report within 3 business days.
• To respond with our evaluation within 7 business days.
• If you followed the instructions above, we will not take legal action against you in regards to your report.
• We will handle your report with strict confidentiality and will never pass on your personal details to third parties without your permission.
• We will keep you informed of the progress towards resolving the problem.

Bug bounty

Nextmessage appreciates your help in keeping our systems safe. Depending on the vulnerability being reported, we may offer a reward for reporting it. Typical rewards are bounties up to 100 euros for low severity vulnerabilities, with higher bounty amounts for more severe issues. The specific reward for a given vulnerability is at our discretion. We will not award a bounty for vulnerabilities that:

• Were found in a manner not conforming to our responsible disclosure guidelines.
• Are already known to us.
• Cannot be proven to be exploitable.
• Services that are out of scope. These include, but are not limited to:
  • nextmessage.nl + www.nextmessage.nl
  • static.nextmessage.nl
  • app.nextmessage.nl
  • ftp.nextmessage.nl
  • mail.nextmessage.nl
  • pixel.nextmessage.nl
  • api.nextmessage.nl
  • app.api-express.nextmessage.nl
  • api-express.nextmessage.nl
  • viewonlinenextmessage.nl
  • unsubscribe.nextmessage.nl
• Are unconfirmed reports from automatic vulnerability scanners.
• Are related to rate limits or brute force attacks.
• Only demonstrate the ability to infer versions of software that we run (banner grabbing).

We will pay out bounties to any individual permissible under Dutch law. Bounties will always be paid out to a single individual and not to a group of people. This policy was adapted from Floor Terra’s example policy from https://responsibledisclosure.nl