NISC-VDP
This Vulnerability Disclosure Program (Program) is limited to security vulnerabilities in web applications owned by NISC, as set forth in this policy. This Program does not provide bounties/rewards for reported vulnerabilities.
Your participation in our Program is voluntary. By submitting a report or otherwise disclosing a vulnerability to us, you are indicating that you have read and agree to follow the guidelines set forth on this page.
National Information Solutions Cooperative (NISC) is an information technology company that develops and supports software and hardware solutions for our Member-Owners who are primarily utility cooperatives and telecommunications companies across the nation. NISC is an industry leader providing advanced, integrated IT solutions for consumer and subscriber billing, accounting, engineering & operations, as well as many other leading-edge IT solutions.
At NISC, our focus is service excellence and innovative information technology solutions that enable our Member-Owners to excel in customer service, maximize diversification opportunities, and compete effectively in the changing utility and telecommunications industries.
• Be the first to report a specific vulnerability.
• Send a clear textual description of the report along with steps to reproduce the vulnerability. Include attachments such as screenshots or proof of concept code as necessary.
• Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
• Follow HackerOne's Vulnerability Disclosure Guidelines.
• This Program is limited strictly to technical vulnerabilities of NISC products and services.
• Do not exploit or target vulnerabilities in any NISC accounts, applications, or products.
• Do not cause harm to NISC, our customers/member-owners, or third parties.
• Do not compromise the privacy or safety of our customers/member-owners and the operation of our services. Any activity that would disrupt, damage or adversely affect any NISC or third-party data, account or equipment is not allowed.
• Do not violate any criminal law or other applicable laws.
• You must not be the author of the code with the vulnerability or bug.
• Never leave a system or user in a more vulnerable state than when you found them. This means that you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users.
• If at any point while researching a vulnerability, you are unsure whether you should continue, immediately engage with our Bug Bounty team.
NISC will make a best effort to meet the following response targets for hackers participating in our program:
Time to first response - 2 business days
Time to triage - 2 business days
Time to resolution - depends on severity and complexity.
NISC has included third-party assets in scope but has limited control over ultimate resolution. NISC will resolve any vulnerabilities we control, and we will work with our third-parties when necessary to report issues and encourage their participation in resolving any vulnerabilities that fall outside of NISC control. Thank you for understanding.
When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:
• Clickjacking on pages with no sensitive actions.
• Unauthenticated/logout/login CSRF.
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
Rate limiting or brute-force issues on non-authentication endpoints.
Missing best practices in Content Security Policy.
Missing HttpOnly or Secure flags on cookies.
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
Open redirect - unless an additional security impact can be demonstrated.
Issues that require unlikely user interaction.
Any information you receive or collect about us, our affiliates, our customers/member-owners, or any of their respective users, employees or agents in connection with Program must be kept confidential and only used in connection with the Program. You may not use, disclose or distribute any such confidential information, including without limitation any information regarding your submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
We reserve the right to modify or cancel the Program at any time.
| Scope Type | Scope Name |
|---|---|
| other | iVUE AppSuite |
| other | iVUE ABS |
| other | iVUE CC&B |
| other | iVUE Connect |
| other | iVUE E&O |
| other | iVUE Document Vault |
| other | NISC Cloud Portal |
| other | NISC Community |
| other | NISC Payment Gateway |
| other | NISC SmartHub |
| other | Capturis Vendor Portal |
| Scope Type | Scope Name |
|---|---|
| web_application | *.nisc.coop |
| web_application | *.capturis.com |
| web_application | *.nisc-mic.coop |
| web_application | *.igear.coop |
This policy crawled by Onyphe on the 2020-05-04 is sorted as bounty.
FireBounty © 2015-2024
