Coordinated Vulnerability Disclosure Program

Did you discover any vulnerabilities in one of our systems? If so, you can help us by reporting these vulnerabilities so we can improve the safety and reliability of our systems together.

At Nedap Retail, the security of our systems is the top priority. Despite the effort we put into the security of our systems, there might still be vulnerabilities present. We recognize that we cannot find all bugs ourselves, and that security researchers and our community play an important role in keeping our systems safe.

We have adopted a Coordinated Vulnerability Disclosure (CVD) program as described below, to encourage everybody to report potential security vulnerabilities. If you discover such a vulnerability, we would like to know about it and we would like to ask your help so we can take steps to address it.

In scope

Any vulnerability that substantially affects the confidentiality or integrity of (user) data concerning Nedap Retail critical internet-facing applications is likely to be in scope for the program. At least the following URLs are in scope:

Staging	Production
api-test.nedapretail.com	api.nedapretail.com
api-test.nedapretail.us	api.nedapretail.us
devices-test.nedapretail.com	devices.nedapretail.com
devices-test.nedapretail.us	devices.nedapretail.us
idcloud-test.nedapretail.com	idcloud.nedapretail.com
idcloud-test.nedapretail.us	idcloud.nedapretail.us

What to report

Vulnerabilities with a valid attack scenario concerning the safety of Nedap Retail’s services offered through the internet. Examples of such vulnerabilities may include (but are not limited to):

Cross-Site Scripting (XSS) vulnerabilities
SQL or other injection vulnerabilities
Local File Inclusions
Broken Authentication or Access Control
Security misconfiguration
Sensitive data exposure

Out of Scope

Out of scope are all domains that are not related to Nedap Retail. Nedap N.V. has several business units that operate as independent entities. Retail is one of them. In this CVD program we solely focus on the issues for the Retail business unit (for all business units, see Business units - Nedap).

What not to report

We will not accept any trivial issues, vulnerabilities that cannot be exploited or certain less-relevant configuration/hardening issues that we are probably aware of, but cannot or will not fix for various reasons. The CVD program is meant for issues that can immediately be exploited and pose a direct threat. Any out of scope issues that cannot be directly exploited will be marked as info, and may not be responded to as quickly.

Some examples of issues that will NOT be accepted are:

HTTP 404 codes, or any non-200 codes
Fingerprinting on public services
Public files, or files with harmless information (i.e. robots.txt)
Clickjacking-related issues
SPF, DKIM or DMARC issues
Reports about old software versions without a POC for a working concept
Issues related to old(er) TLS versions and/or cipher suites being supported
Issues related to certain missing HTTP headers or headers set not strictly enough
Issues related to the use of old browser versions

The CVD program contact form or email address cannot be used as a way to get in touch with Nedap Retail for reports like:

Questions or complaints regarding availability
Questions or complaints regarding Nedap Retail’s services or products
Questions or complaints regarding compliancy
Fake e-mails or phishing e-mails

Guidelines for security research

Do not reveal any found vulnerability or problem to others until it is resolved.

Do’s

Do report the vulnerability as quickly as is reasonably possible, to minimise the risk of hostile actors finding it and taking advantage of it.
Do report in a manner that safeguards the confidentiality of the report so that others do not gain access to the information.
Provide sufficient information to reproduce the problem, so we will be able to resolve it quickly. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient. However, complex vulnerabilities may require further explanation and/or Proof-of-Concept code.
Wherever possible and applicable, use our staging environment to test and proof the vulnerability instead of production.

Don’ts

Do not engage in security research that involves:

Potential or actual damage to
– Users
– Systems
– Data
– Applications
Creating your own backdoor in an information system, even with the intention of then using it to demonstrate the vulnerability.
Utilising a vulnerability further than necessary for establishing its existence.
Copying, modifying and/or deleting data on the system. An alternative is to make a directory listing of the system
Making changes to the system.
Repeatedly gaining access to the system, or sharing access with others.
Brute force attacks, social engineering, DDoS attacks, spam or attacks on physical security.
The use of third parties to gain access to the system.
Disruption of our online services.

What we promise

By investigating our systems, it might be that you act prosecutable. In case you act with good faith and act in accordance to the mentioned rules, there will not be any inducement to report your action. Therefore, follow the rules of this CVD policy.
Our goal is to respond to your report within one week, with our evaluation and timeframe for fixing the issue.
We will not pass on your personal details to third parties without your permission, unless it is necessary to comply with a legal obligation. Reporting under a pseudonym or anonymously is possible.
We will keep you informed of the progress towards resolving the problem.

We strive to resolve all problems as quickly as possible, and we are happy to play an active role in a publication on the problem after it is resolved.

Reporting

Submit your findings by using this form. We can only process reported vulnerabilities that are reported in Dutch or English.

Rewards

Depending on the severity and in case your reported vulnerability is solved or led to a change in our services, you will be eligible for a reward. To be eligible for a reward, the vulnerability must meet the requirements outlined in this policy and you must be the first person to report that vulnerability.

More info

With regard to reporting vulnerabilities in IT systems, the National Cyber Security Centre of the Ministry of Security and Justice in The Netherlands has made up guidelines. Nedap Retail’s guidelines are based upon those. In case you want to learn more about these guidelines, visit https://www.ncsc.nl.