Introduction PostNord – a leader in parcel distribution - creates solutions for e-commerce, fulfillment, supply chain, warehousing, and a wide range of delivery solutions. Our goal is to make everyday life easier by providing a smooth delivery experience to our customers.

The safety and security of our customers’ data, and the reliability of our products and services, are of utmost importance to PostNord Group AB (hereon PostNord). Therefore, we aim to design and make products and services with the highest levels of security and reliability. 

This policy describes PostNord’s approach to requesting and receiving reports related to potential vulnerabilities and errors in its products and services from those that interact with such products and services. 

We believe that no technology or solution is perfect and do recognize the need to maintain vigilance over our cyber risk to protect the services we provide and the data we hold. Working with security minded people like you, is therefore crucial in identifying and mitigating any weaknesses in our systems.

SCOPE

This policy applies to the entire PostNord Group (i.e., group functions, country organizations and any companies owned by PostNord Group). Customers, users, researchers, partners and any other person that interacts with PostNord's products and services:

• PostNord websites
• PostNord mobile applications
• PostNord APIs
• PostNord infrastructure

are encouraged to report identified vulnerabilities and errors with such products and services. 

GUIDELINES

• Non-Disruption: 
  • Denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data is prohibited.
  • Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Exploitation: 
  • Do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
  • Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems under any circumstance.
• Disclosure Timing:
  • Provide us with a reasonable amount of time to resolve the issue before you disclose it publicly if you must. We request at least 90 days.
• Safety:
  • Do not intentionally compromise the security or privacy of PostNord personnel or third parties
• Social Engineering: 
  • Any form of social engineering or phishing attacks is prohibited.
• Notification:
  • Notify us as soon as possible after you discover a real or potential security issue.
  • If you encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and do not disclose this data to anyone else

LEGAL SAFE HARBOR

We interpret activities that comply with this policy as authorized and we will not initiate legal action against you. If legal action is initiated by a third party against you and you have complied with this policy we will take the necessary measures to make it known to the authorities that your actions have been conducted in compliance with this policy.

HOW TO REPORT VULNERABILITIES

PostNord highly appreciates the efforts made by the reporting party in identifying the vulnerability or error. Reporting of such vulnerabilities and errors will contribute to improving the security and reliability of our product and services. 

The preferred method for contacting PostNord regarding a vulnerability or errror in our products or services is by using the form present on this page.

• Please note that supplying your contact information with your report is entirely voluntary and at your discretion. 
• PostNord will make use of all reports that are submitted; both those submitted anonymously and those with contact information.
• If you do submit your contact information, PostNord will only use such information to get in touch with you regarding clarifying the details of your report, if that is necessary.
• Please visit PostNord’s general privacy policy to see how we respect the privacy of your personal data: GDPR at PostNord | PostNord 

KNOWN VULNERABILITIES

We are already aware of the vulnerabilities below in our environment so kindly do refrain from reporting such vulnerabilities or reporting vulnerabilities that can easily be discovered/identified by a network or a web application scanning tool:

• Missing security-related HTTP headers
• Outdated libraries or software versions
• Expired certificate or other related TLS/SSL issues

HOW TO SUBMIT A REPORT

Provide a detailed description of the vulnerability (preferably in English), including:

• Type of issue
• The affected application/system and the location where the vulnerability was discovered or can be found.
• Step-by-step instructions to reproduce the issue including attachments such as screenshots or proof of concept code where necessary.
• Impact of the issue
• Suggested mitigation or remediation actions, as appropriate.

On our side, we will be looking to replicate your findings and remediate based on potential impact.

TERMS AND CONDITIONS

By making a report to PostNord using the form on this page, or otherwise communicating a report to PostNord, regarding vulnerabilities and errors, you agree to the following terms:

• You have understood and agreed to the guidelines described in this policy.

• PostNord may use your report for any purpose deemed relevant by PostNord, including without limitation, for the purpose of correcting any vulnerabilities and errors that are reported and that PostNord deems to exist and to require correction. To the extent that you propose any changes and/or improvements to a PostNord product or service in your report, you assign to PostNord all use and ownership rights to such proposals. 

• You confirm to PostNord that: 

• • You have not exploited or used in any manner, and will not exploit or use in any manner (other than for the purposes of reporting to PostNord), the discovered vulnerabilities and/or errors;
• • You have not engaged, and will not engage, in testing/research of systems with the intention of harming PostNord, its customers, employees, partners or suppliers;
• • You have not used, misused, deleted, altered or destroyed, and will not use, misuse, delete, alter or destroy, any data that you have accessed or may be able to access in relation to the vulnerability and/or error discovered;
• • You have not conducted, and will not conduct, social engineering, spamming, phishing, denial-of-service or resource-exhaustion attacks;
• • You have not tested, and will not test, the physical security of any property, building, plant or factory of PostNord;
• • You have not breached, and will not breach, any applicable laws in connection with your report and your interaction with PostNord product or service that lead to your report.
• • You agree not to disclose to any third party any information related to your report, the vulnerabilities and/or errors reported, nor the fact that a vulnerabilities and/or errors has been reported to PostNord.
• • You agree that you are making your report without any expectation or requirement of reward or other benefit, financial or otherwise, for making such report.

WHAT YOU CAN EXPECT FROM US

We recognize the value of your contribution and take every disclosure seriously. We will investigate every disclosure and strive to ensure that appropriate steps are taken to mitigate the risk and remediate reported vulnerabilities.

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible. This includes:

• Acknowledgement of receipt of your report to the best of our ability.
• An open dialog to discuss your vulnerability report.
• As a way of expressing our gratitude for submitting a vulnerability report, PostNord will, if desired by the reporter, add the reporter to our Acknowledgment lists.