We thank you very much for your willingness and honesty in finding security vulnerabilities in our systems and your desire to report it to us professionally and honestly, without malicious intentions.
Below you can see our RDP (responsible disclosure policy).
Please note that this policy is a living document and check it regularly for changes.
Thank you and stay healthy!
At NFON, we are committed to ensuring the security of our information, systems and services and value the role of security researchers in helping us mitigate cyber security risk.
If you believe you have discovered a suspected cyber threat or security vulnerability that affects the confidentiality, integrity or availability of NFONs information, systems or services, please submit a report to our security team via one of the methods below.
For the protection of our customers, we treat all information regarding a vulnerability as confidential and ask that you do not publicly disclose, discuss or confirm the details of any suspected security issues.
While we encourage security research on our products and services, the following types of research are strictly prohibited:
Any NFON owned website, web-service or mobile application that handles reasonably sensitive user data is intended to be in scope. Examples include virtually all content in the following domains:
The following vulnerabilities are considered out of scope for our Responsible Disclosure Program:
You can responsibly disclose suspected vulnerabilities to the NFON Cyber Security Team by emailing: security-incident(at)nfon(dot)com
To assist us in investigating your report, we recommend you follow the structure:
To ensure a collaborative approach, please respect the guidelines set out below
NFON provides rewards for accepted vulnerability reports at its discretion.
All researchers who submit an accepted vulnerability report to us will also be listed on our Hall Of Fame.
Should an accepted vulnerability report have a larger impact, our minimum reward is a €25 Amazon gift card. Reward amounts may vary depending upon the severity of the vulnerability reported and quality of the report.
Keep in mind that this is not a contest or competition.
We reserve the right to determine amount or even whether a reward should be granted.