We commits to the following minimum handling practices:
- Acknowledgement: NC& will acknowledge receipt of potential vulnerability reports within 7 calendar days and provide a tracking identifier where feasible.
- Initial assessment (triage): NC& will perform an initial assessment of vulnerability reports. If NC& does not consider a report to be a vulnerability, NC& will inform the reporter (and other relevant stakeholders as appropriate).
- Ongoing communication: During handling, NC& will communicate with the reporter and relevant stakeholders, including status updates, significant new information, changes to plans, and disclosure timing.
We asks the security research community to:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to internal or external servers, and destruction of data or physical assets during security testing.
- Provide sufficiently complete reporting details to enable verification and remediation.
- Keep information about the potential vulnerability confidential between you and NC& until a remedy is available or a mutually agreed disclosure plan is reached.
- Refrain from using any exploits or vulnerability information for commercial or business purposes.