OUR VULNERABILITY HANDLING COMMITMENT
We commits to the following minimum handling practices:
- Acknowledgement: NC& will acknowledge receipt of potential vulnerability reports within 7 calendar days and provide a tracking identifier where feasible.
- NC& aim to perform an initial assessment of vulnerability reports within 14 calendar days, NC& will promptly inform the reporter (and other relevant stakeholders as appropriate).
- NC& will periodically (once every 30 calendar days) communicate with the reporter and relevant stakeholders, including status updates, significant new information, changes to plans, and disclosure timing until resolution of the reported issues.
RESEARCHER GUIDLINE
We asks the security research community to:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to internal or external servers, and destruction of data or physical assets during security testing.
- Provide sufficiently complete reporting details to enable verification and remediation.
- Keep information about the potential vulnerability confidential between you and NC& until a remedy is available or a mutually agreed disclosure plan is reached.
- Refrain from using any exploits or vulnerability information for commercial or business purposes.