Responsible Disclosure Program
neoshare is committed to maintaining the security of our systems and our customers’ information. We appreciate and encourage security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to neoshare.
If you believe you have identified a potential security vulnerability, please share it with us by following the submission guidelines below. Thank you in advance for your submission, we appreciate researchers assisting us in our security efforts.
1. What is Responsible Disclosure at neoshare
Responsible Disclosure is an ethical method to report system vulnerabilities, which allows us sufficient time to identify and apply the appropriate countermeasures before these vulnerabilities might become public.
By doing that, the reporter helps us identify and resolve system weaknesses, resulting in a valuable contribution to increase the security of our services and protection of customer’s data and avoid damage or disruption to our systems.
2. How Responsible Disclosure works at neoshare
Should someone identify one or more vulnerabilities in any of the following environments:
- neoshare portals (*.neoshare.de)
- The neoshare website (www.neoshare.de)
- Other technological instrument or IT services in use or provided by neoshare
they can send the information following the procedure laid out below.
The reporter should refrain from engaging in any actions that could disrupt the affected system or service, or lead to data leakage or loss. Their use of the system or service should be kept to a minimum and they should avoid accessing any data that is not strictly required to demonstrate the presence of the vulnerability.
3. Reporting a vulnerability responsibly
The reporter must send the information via email to security@neoshare.de. Please include the following information in your email:
- Type of vulnerability or issue.
- Service, product or URL affected.
- IP address from which the vulnerability was identified along with the date and time of discovery.
- Special configuration or requirements to reproduce the issue.
- Information necessary to reproduce the issue.
- Confirmation that no activity has been performed to disrupt our system or services and that no data has been copy or taken.
- The consensus or not to being listed in the Hall of Fame section along with your Name and Surname.
You are required to maintain utmost confidentiality regarding any vulnerabilities found. Therefore, you must agree not to disclose, either fully or partially, any of this information, in any manner, to any third parties without explicit authorization from neoshare.
Once the report has been received, neoshare is committed to:
- Send an email to the reporter to confirm the receipt of the provided information. Within a period of 10 days following this confirmation, neoshare will send a second email containing an evaluation of the reported vulnerability, along with the results of our initial analysis.
- If the necessary authorization accompanied the original mail and in case of an eligible report, publicly thank the sender in the Hall of Fame section.
Below you will find some examples of vulnerability categories, which are considered eligible for publication in the Hall of Fame:
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Injection (i.e. SQL injection, user input)
- Broken Authentication and Session Management
- Broken Access Control
- Security Misconfiguration
- Redirect / Man in the Middle attacks
- Remote code execution
- Underprotected API
- Privilege Escalation
On the other hand, the following situations are not covered by this Responsible Disclosure initiative and therefore are not eligible for the Hall of Fame:
- Situations that are not inherent to security aspects (i.e. unavailability of a service, non-security bugs, etc.) and therefore managed through traditional channels of customer care.
- Phishing or spam and vulnerabilities inherent to social engineering techniques.
- Results of automatic tools for vulnerability assessment/penetration testing (i.e. Nessus, nmap, Burp Suite, etc).
- Reports on the use of weak configurations of the TLS protocol, or reports on non-compliance with best practices (i.e. the lack of security headers).
While carrying out your activities please respect the following rules:
- report the vulnerability with us while keeping the information confidential (especially if it concerns personal data);
- inform us of any vulnerabilities using the method described above, and ensure that you report them promptly to prevent any potential exploitation by threat actors before we can address and resolve them;
- do not use social engineering or phishing to gain access to our IT infrastructure or services;
- do not install your own backdoor or execute code in our systems to disclose the vulnerability as this may result in unnecessary damage and security risks;
- do not exploit a vulnerability beyond what’s necessary to confirm the vulnerability;
- do not modify the system/service or data in any manner;
- do not use Denial of Service attacks, brute force attacks, aggressive and/or automated scanning;
- do not negatively impact the confidentiality, integrity or availability of our services or our data;
- Some hacking activities are considered illegal acts. In order to safeguard both you and us, it is important to act in good faith and abide by these ethical engagement guidelines.
4. Out of scope vulnerabilities
Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program. Out-of-scope vulnerabilities include:
- Physical Testing
- Social Engineering
- Phishing
- DoS and DDoS attacks
- Resource Exhaustion Attacks
5. Bug Bounty
We currently do not offer a paid bug bounty program. However, we would like to show our appreciation to security researchers who help us identify and resolve system weaknesses according to this policy. Reporters of qualifying vulnerabilities will be offered an opportunity to become a part of our Hall of Fame.
6. Hall of Fame
We would like to thank everyone who makes a responsible disclosure to us and recognize their contribution in increasing the security of our products and services by featuring those contributors in our Hall of Fame.