At NS1, we are strong proponents of protecting our customers’ privacy and security. With a mission to manage the world’s application traffic, we not only have a vested interest, but also a deep desire to see the internet remain as safe as possible for us all. Needless to say, we take security issues very seriously.
In our opinion, the practice of 'responsible disclosure' is the best way to safeguard the internet. It allows individuals to notify companies like NS1 of any security threats before going public with the information. This gives us the opportunity to resolve the vulnerabilities before they are exploited.
We value transparency in the security industry and openness with sharing information that could improve security for every organization. NS1 is committed to engaging the research community in a professional, positive and agreeable manner that protects our company and our customers.
As such, we encourage and welcome anyone who believes he or she has identified a vulnerability to contact us with security concerns or pertinent information relating to the integrity, functionality or confidentiality of our software.
The terms below apply to any website, application or service made available by or hosted by NS1.
Please use the email address email@example.com to alert us to:
- Vulnerabilities or breaches in our software or environments which threaten the confidentiality, integrity or availability of our data, software, services, or our customers’ data
- Applications that mimic, mislabel, misdirect, or "copycat" NS1, or phishing attacks even if they do not originate from NS1 sources
- Written or verbal discussion, activities, or data in any public forum which you believe constitutes a threat to NS1, our employees or our customers
How to disclose a vulnerability or security issue to NS1
Your submission should contain:
- a clear description and evidence of the vulnerability (logs, screenshots, responses or other evidence)
- the tool(s) you used in discovering the vulnerability
- date of discovery
- detailed steps to reproduce the issue, if possible
- any platforms, operating systems, and/or versions that are relevant
- any relevant IP addresses or URLs
- your assessment of the exploitability or impact of the issue
- your name and contact details
- Do provide a detailed and complete submission
- Do be sure to include your contact information so that NS1 can communicate as necessary
- Do be specific and detailed
- Do treat the vulnerability report and any vulnerability as confidential information and do not divulge to any third person (except disclosure to NS1) any such information unless public disclosure is mutually agreed upon with NS1
- Do report vulnerabilities in a vendor we integrate with or involving leaks of NS1 customer data to us
- Do not break international, federal, state or local laws
- Do not put NS1 data, employees or customers at risk
- Do not run automated scans without obtaining our approval first.
- Do not perform any unsolicited testing that would result in a denial of service (DoS), attempt at physical access, or anything that could be considered social engineering against NS1 employees
- Do not publicly disclose any information about the vulnerability
- Do not attempt to exploit any vulnerabilities that you or others have identified
- Do not in any way attack our customers or engage in trade of stolen credentials
NS1 has enacted measures to ensure that reports of this nature are treated with high priority and are responded to quickly and effectively. NS1 commits to responding to credible vulnerability disclosures that provide the required information within 48 business hours.
We will not respond to:
- Hoaxes or anonymous reports
- Reports that are generic or lack evidence to be verified
- Reports that bear no relevance to NS1 as a company, its technologies, its employees or its customers
- Reports that are non-actionable
NS1 believes in coordinated disclosure regarding vulnerabilities that have been reported to us and fixed. We expect professional conduct and will strive to agree on reasonable timelines for updates as well as coordination with security researchers and others who may report vulnerabilities.
While we will work diligently to address vulnerabilities and to set expectations on a timeline for resolution, we cannot guarantee specific windows of time for either fixes or updates to the person who filed the report. If and when we decide to make a public disclosure about a vulnerability, we will give the person who reported such vulnerability the opportunity to be identified in our public disclosure. We cannot guarantee that we will make a public disclosure about any vulnerability, but in no event will we make a public disclosure until we are confident that our technologies, data and employees are secure. At this time, we are not offering financial compensation for vulnerability reports.
Please click here firstname.lastname@example.org to report a vulnerability or other information security issue.
Thank you for helping keep NS1 secure!
NS1 appreciates the efforts of the global security research community who work to identify vulnerabilities and collaborate with organizations like ours to create a fix and communicate responsibly to affected parties.