Legal

Responsible disclosure

Although we put tremendous efforts in keeping our systems secure at Normec Group, there can always be vulnerabilities that remained unnoticed to us. Whenever you find a (potential) vulnerability that may cause an issue to our systems or leads to disclosure of our (customer) data, we kindly ask you to report this to us so that we can remediate it and better protect our customers and systems.

To disclose a vulnerability, please adhere to the following:

  • Share your findings by contacting our security team via https://normecgroup.com/.well-known/security.txt. If you want to include screenshots or a formatted write-up upload this in PDF-format.

  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data.

  • Do not reveal the problem to others until it has been resolved. Please refrain from publishing any information until we have proof-read the content and provided our OK, to ensure no sensitive information is disclosed.

When correctly following the responsible disclosure process, we promise to:

  • Analyze your report and get back to you within five working days after submission.

  • We will never take legal actions against you, if rules of the disclosure process are followed.

  • We will handle your report with strict confidentiality and will never pass on your personal details to third parties without your permission.

  • We will keep you informed of the progress towards resolving the problem.

  • In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).

  • As a token of our gratitude for your assistance, we offer a reward for every report of a security problem that was not yet known to us.

  • After remediation, we are happy to review your write-up/blog/video if you wish to publish your finding.

Rewards

Depending on the severity of the identified vulnerability we will provide a reward varying from Normec merchandise and goodies to PayPal transfers valued between €50,- and €250,-.

Definition of a security vulnerability

Normec considers a security vulnerability a weakness in our websites or infrastructure that could impact confidentiality, integrity and/or availability of these systems. Although this is a broad definition, we understand you might raise concerns that are already known or not considered a security issue by Normec. To provide some clarity, the following types of findings are not defined as security vulnerabilities:

  • Auto-completion enabler of disabled on forms.

  • Missing cookie attributes on non-sensitive cookies, for example missing HTTP-only flags on public analytics trackers.

  • Presence or absence of HTTP headers, such as: X-Frame-Options, CSP, no-sniff, etc., unless part of a solution for another related vulnerability.

  • Certain low-risk vulnerabilities or risks that are already known. These may still be security vulnerabilities, but either already in remediation or accepted.

  • Installing malware.

  • Copying, modifying or deleting data in a system.

  • Making changes to the system.

  • Repeatedly gaining access to the system or sharing access with others.

  • Using “brute force” to gain access to a system.

  • Using denial-of-service or “social engineering”.

The list below are things we would definitely consider a security vulnerability:

  • Unauthorized access to customer data, including but not limited to names, order information and further personal details.

  • Remote Code Execution (RCE).

  • Server-Side Request Forgery (SSRF).

  • Cross-site Scripting (XSS).

  • Cross-site Request Forgery (CSRF).

  • Injection attacks, such as SQL Injection (SQLi).

  • XML External Entity Attacks (XXE).

  • Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc.).

  • Path/Directory traversal Issues.

When in doubt, feel free to submit a (potential) vulnerability to our security team for our review/consideration.

Reporting a vulnerability

If you believe you have found a security issue that we would consider security vulnerability or have something else you would like to bring to our attention, use the contact details at https://normecgroup.com/.well-known/security.txt.