Responsible Disclosure Policy
Nearsoft
____________________________________________________________________________
Purpose
At Nearsoft, safeguarding the security and privacy of our systems, users, and data is a top priority. We recognise the valuable role that independent security researchers and ethical hackers play in identifying potential vulnerabilities. This policy sets out how to responsibly report security issues, the scope of eligible systems, and our commitments in response.
Scope
This policy applies to any security vulnerabilities discovered in systems owned, operated, or maintained by Nearsoft, including but not limited to:
- Publicly accessible domains, websites, and services
- Web and mobile applications
- APIs
- Internal infrastructure and tools hosted in the cloud, where accessible via the Internet
- The policy covers vulnerabilities that could compromise:
- Confidentiality of user or system data
- Integrity of services or code
- Availability of services
The following are out of scope and do not qualify for responsible disclosure recognition:
- Social engineering, phishing, or physical attacks
- Spam or DDoS testing
- Vulnerabilities requiring root/jailbroken devices
- Automated vulnerability scanning without prior written consent
- Attacks that rely on outdated browser versions or OS configurations not in use in our environment (e.g., jailbroken/rooted devices)
- Reports without adequate evidence or reproducibility
- Attacks against third-party services or providers
- Clickjacking, CSRF, or open redirect reports without demonstrated exploitability
- Reports involving third-party platforms not under Nearsoft’s control (e.g., GitHub, Slack)
Reporting a Vulnerability
If you believe you’ve discovered a security vulnerability, please report it to us confidentially and responsibly via email to info@nearsoft.pt. Your report should include:
- A clear, concise description of the issue
- Detailed steps to reproduce the vulnerability
- The method used and the approximate time of discovery
- Any supporting evidence (e.g., screenshots, logs etc)
- The potential impact, if known
- Your contact information (optional), if you'd like updates
For urgent or high-severity vulnerabilities, you may mark your email subject as “URGENT – Responsible Disclosure”.
If needed, we may escalate incidents to appropriate supervisory authorities or affected stakeholders in line with our incident response plan and legal obligations.
Guidelines
To ensure a collaborative and ethical process, we expect that all reports comply with the following principles:
- Act responsibly and in good faith, with the intent of protecting users and systems.
- Avoid causing harm, such as data loss, service disruption, or unauthorised access to personal or sensitive information.
- Do not exploit any identified vulnerability beyond what is necessary to prove its existence.
- Respect user privacy, and do not attempt to access, copy, alter, or delete data that is not your own.
- Avoid automated or high-volume testing, such as DoS or brute-force scanning, which may affect availability.
- Wait at least 90 days after your report before making any public disclosure, unless Nearsoft has resolved the issue or agreed otherwise. Early disclosure without coordination may jeopardise user security and violate this policy.
- Ensure a cooperative and responsible behaviour in compliance with the law.
What You Can Expect from Nearsoft
When you report a suspected vulnerability in good faith, Nearsoft will:
- Acknowledge receipt of your report within five (5) business days.
- Conduct an initial assessment and respond with our evaluation within ten (10) business days.
- Maintain transparent communication throughout the investigation and resolution process.
- Address and remediate the vulnerability within a reasonable timeframe, based on the nature and severity ofthe issue.
- Refrain from legal action, provided your actions were in good faith and aligned with this policy.