Aller au contenu principal

Responsible Disclosure Program

Noxys has a commitment to responsible security research and vulnerability disclosure.

Our Commitment

We believe in:

  • Transparency: We acknowledge all security researchers
  • Timeliness: Critical fixes within 48 hours
  • Fairness: Sufficient time to develop and release fixes before public disclosure
  • Recognition: Credit researchers in security advisories

Reporting a Vulnerability

Do's and Don'ts

DO:

  • Email security@noxys.eu with vulnerability details
  • Include reproduction steps and affected versions
  • Provide suggested fix (optional)
  • Be respectful and professional
  • Give us reasonable time to respond

DON'T:

  • Post vulnerability to GitHub issues or public forums
  • Disclose to media or other platforms first
  • Exploit the vulnerability beyond what's needed for proof-of-concept
  • Share the vulnerability with other researchers without permission
  • Access data you're not authorized to access

Reporting Process

1. Initial Report

Email security@noxys.eu with:

Subject: [SECURITY] Vulnerability in Noxys [version]

Description:
- Vulnerability type (e.g., SQL injection, XSS, authentication bypass)
- Affected component(s)
- Affected version(s)
- Severity assessment (critical, high, medium, low)

Reproduction Steps:
1. [Step 1]
2. [Step 2]
3. [Step 3]

Impact:
- What can an attacker do?
- What data could be compromised?

Proof of Concept:
[Code or detailed steps to reproduce]

Suggested Fix (optional):
[Your proposed solution, if you have one]

Your Contact Information:
- Name
- Email
- PGP key (optional)
- GitHub profile (optional)

2. Acknowledgment

We will respond within 1 hour (critical) or 24 hours (non-critical) with:

  • Confirmation we received the report
  • Initial severity assessment
  • Expected timeline for fix
  • Security researcher credit (if desired)

3. Investigation

Our security team will:

  1. Reproduce the vulnerability
  2. Assess impact and severity
  3. Develop a fix
  4. Test the fix
  5. Plan the release

4. Coordination

We'll keep you updated on:

  • Progress on developing a fix
  • Estimated release date
  • Planned advisory release
  • Your credit/attribution

5. Public Disclosure

After fix is released, we will:

  1. Publish security advisory at https://security.noxys.eu
  2. Include your name (if you want credit)
  3. Detail the vulnerability
  4. Thank you in acknowledgments section

Disclosure Timeline

Critical Vulnerabilities

Definition: Remote code execution, authentication bypass, complete data compromise

TimelineActivity
Hour 1Acknowledge receipt
Hour 24Initial assessment, begin fix
Hour 48Security patch released
Hour 72Public advisory published

High-Severity Vulnerabilities

Definition: Significant security impact (privilege escalation, data leak)

TimelineActivity
Hour 24Acknowledge receipt
Day 5Fix released
Day 7Public advisory published

Medium-Severity Vulnerabilities

Definition: Limited impact, requires specific conditions

TimelineActivity
Day 1Acknowledge receipt
Day 10Fix released
Day 14Public advisory published

Low-Severity Vulnerabilities

Definition: Minimal impact or requires special access

TimelineActivity
Day 3Acknowledge receipt
Day 30Fix released in next version
Day 60Public advisory published

Security Advisory Format

Our public security advisories include:

# Noxys Security Advisory [GHSA-XXXX-XXXX-XXXX]

## Vulnerability: [Title]

**Severity**: High / Critical / Medium / Low

**Affected Versions**: v0.2.0 - v0.2.5

**Fixed Version**: v0.2.6

## Summary

[Clear description of the vulnerability]

## Impact

[What could an attacker do?]

## Mitigation

For users unable to upgrade immediately:
- [Temporary mitigation steps if available]

## Acknowledgment

Thank you to [Researcher Name] for responsibly disclosing this vulnerability.

## References

- [CVSS v3.1 Score: X.X]
- [CWE-XXX: Vulnerability Type]
- [GitHub commit: abc123def456]

## Remediation

**Upgrade to v0.2.6 immediately** or apply temporary mitigation steps above.

Severity Ratings

We use CVSS v3.1 for severity assessment:

CVSS ScoreSeverityExample
9.0-10.0CriticalRCE, auth bypass
7.0-8.9HighSQL injection, data leak
4.0-6.9MediumPrivilege escalation, denial of service
0.1-3.9LowInformation disclosure, XSS

Out of Scope

The following are out of scope for our disclosure program:

  • Social engineering (but report to security@noxys.eu anyway)
  • Physical security (report to physical-security@noxys.eu)
  • Denial of service (rate-limited APIs only)
  • Spam (report to abuse@noxys.eu)
  • Vulnerabilities in dependencies (report to maintainers)
  • Third-party services (report to the vendor)

In Scope

  • Application code (noxys/proxy, noxys/console, noxys/extension)
  • API authentication and authorization
  • Database security
  • Encryption implementation
  • Infrastructure security (cloud deployments)

Security Researcher Policy

What We Provide

  • Credit: Public acknowledgment in security advisories
  • Transparency: Detailed explanation of the vulnerability
  • Bounty: Currently, recognition only (formal bounty program coming)

Researcher Responsibilities

  • Confidentiality: Do not disclose before agreed timeline
  • Legal Compliance: Test only on Noxys systems you control
  • Professionalism: Communicate respectfully
  • Patience: Allow reasonable time for fix development

Public Vulnerability Database

All disclosed vulnerabilities are published in:

Bug Bounty Program (Roadmap)

Formal bug bounty program coming in 2026:

  • Scope: Application code + infrastructure
  • Rewards: €500 - €5,000 depending on severity
  • Platform: HackerOne or Bugcrowd (TBD)

Check back soon or email security@noxys.eu for updates.

Contact Information

Security Team

  • Email: security@noxys.eu
  • PGP Key: [Available on request]
  • Response Time: 1-24 hours depending on severity
  • Confidentiality: All reports treated as confidential until disclosed

Other Contacts

Security Researcher Acknowledgments

We thank the following security researchers for responsibly disclosing vulnerabilities:

2026

  • March 2026: [Researcher Name] - XSS in API response (GHSA-2026-0001)
  • February 2026: [Researcher Name] - Authentication bypass (GHSA-2026-0002)

[More to come as disclosures are resolved]

Frequently Asked Questions

Q: How long should I wait before public disclosure?

A: Follow our timeline above:

  • Critical: 72 hours after fix release
  • High: 14 days after fix release
  • Medium/Low: 30+ days after fix release

If we're unresponsive, you may disclose after 90 days.

Q: Can I discuss the vulnerability with other researchers?

A: No, without explicit permission from Noxys. This maintains the coordinated disclosure process.

Q: Will I receive credit?

A: Yes, if you want it. We include your name (or pseudonym) in:

  • Security advisory
  • GitHub commit message
  • Security researcher list

Q: What if I disagree with your severity assessment?

A: Let's discuss. Email security@noxys.eu with your reasoning. CVSS scores are objective, but context matters.

Q: What if you don't fix it?

A: If we deem something not a vulnerability or won't fix:

  1. We'll explain our reasoning
  2. You can request a second opinion
  3. After 90 days, you may disclose publicly

Q: Do you test the fix before release?

A: Yes, thoroughly:

  1. Unit tests for the fix
  2. Integration tests
  3. Security regression testing
  4. Staging environment validation
  5. Limited rollout to early customers

Additional Resources

Next Steps

Thank you for helping keep Noxys secure.

Email security@noxys.eu with any questions about this program.