Did you discover any vulnerabilities in one of our systems? If so, you can help us by reporting these vulnerabilities so we can improve the safety and reliability of our systems together.
At Nedap Retail, the security of our systems is the top priority. Despite the effort we put into the security of our systems, there might still be vulnerabilities present. We recognize that we cannot find all bugs ourselves, and that security researchers and our community play an important role in keeping our systems safe.
We have adopted a Coordinated Vulnerability Disclosure (CVD) program as described below, to encourage everybody to report potential security vulnerabilities. If you discover such a vulnerability, we would like to know about it and we would like to ask your help so we can take steps to address it.
Any vulnerability that substantially affects the confidentiality or integrity of (user) data concerning Nedap Retail critical internet-facing applications is likely to be in scope for the program. At least the following URLs are in scope:
Vulnerabilities with a valid attack scenario concerning the safety of Nedap Retail’s services offered through the internet. Examples of such vulnerabilities may include (but are not limited to):
Out of scope are all domains that are not related to Nedap Retail. Nedap N.V. has several business units that operate as independent entities. Retail is one of them. In this CVD program we solely focus on the issues for the Retail business unit (for all business units, see Business units - Nedap).
We will not accept any trivial issues, vulnerabilities that cannot be exploited or certain less-relevant configuration/hardening issues that we are probably aware of, but cannot or will not fix for various reasons. The CVD program is meant for issues that can immediately be exploited and pose a direct threat. Any out of scope issues that cannot be directly exploited will be marked as info, and may not be responded to as quickly.
Some examples of issues that will NOT be accepted are:
The CVD program contact form or email address cannot be used as a way to get in touch with Nedap Retail for reports like:
Do not reveal any found vulnerability or problem to others until it is resolved.
Do not engage in security research that involves:
We strive to resolve all problems as quickly as possible, and we are happy to play an active role in a publication on the problem after it is resolved.
Submit your findings by using this form. We can only process reported vulnerabilities that are reported in Dutch or English.
Depending on the severity and in case your reported vulnerability is solved or led to a change in our services, you will be eligible for a reward. To be eligible for a reward, the vulnerability must meet the requirements outlined in this policy and you must be the first person to report that vulnerability.
With regard to reporting vulnerabilities in IT systems, the National Cyber Security Centre of the Ministry of Security and Justice in The Netherlands has made up guidelines. Nedap Retail’s guidelines are based upon those. In case you want to learn more about these guidelines, visit https://www.ncsc.nl.