# netsecurity.no Responsible Disclosure Policy
We provide services and solutions that enable businesses and organisations to work safely online.
We strongly believe that attempted cyber attacks should be detected and stopped at an
early stage in order to avoid potentially serious consequences for the customer's business. 
Through responsible vulnerability research you can help us avoid attacks.

# Mutual Expectations
When working with us you can expect that we:
- Respond in a timely manner to your report
- Work to understand and validate your findings
- Recognize your contribution to improving our security 
- Acknowledge your finding on our Security Acknoledgements page if you are the first to report a unique vulnerability

# Scope
Only configuration managed by or systems operated and/or hosted by Netsecurity for use by Netsecurity AS are in scope.
We are using cloud services for most of our customer facing resource, these services will have their own
Policy for security research and responsible disclosure and are not covered by this policy.
Please contact us at security@netsecurity.no if you have any questions about scope.

# Submission of report
At a minimum, please include the following information with your initial submission:
- Vulnerability classification (Critical/High/Medium/Low)
- Short description
- Steps to reproduce (please be as detailed as possible; include screenshots if applicable)
- Asset/URL
- Date and time of your testing
- Preferred contact method (e.g. phone, email)
Please encrypt the report if possible using the public key listed in security.txt 

# Rewards
We currently do not offer a reward in the form of money or give-aways.  
We respect your work and the high integrity that leads to responsible disclosure and will offer a place
on our Acknowledgments page: https://www.netsecurity.no/security-acknowledgments.txt

# How to Contact us
Our official communication channel is via email to irt@netsecurity.no

# Ground Rules
To encourage  research and to avoid any confusion between legitimate research and malicious attack, 
we ask that you attempt, in good faith, to:
- Play by the rules, including this policy any other relevant agreements
- Promptly report any vulnerability you’ve discovered
- Avoid breaking the Confidentiality, Integrity or Availability of our systems and data
- Avoid violating the privacy of others
- Not engage in extortion.

# Safe Harbor
For responsible disclosure related to systems that are configured by or operated by Netsecurity we will
not take legal action against you.
You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against 
you and you have complied with this policy, we will take steps to make it known that your actions were conducted in 
compliance with this policy. 
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, 
please submit a report through one of our Official Channels before going any further.