Ethical hacking & NN Group’s Responsible Disclosure Policy
NN Group N.V. and its subsidiaries (hereafter NN Group) find it important that clients can use online services and applications safely and in a secure manner at all times. Despite our efforts to keep our IT systems secure, you may discover security vulnerabilities in our internet-facing IT environment. We would appreciate your help in disclosing this information to us in a responsible manner.
What to report?
The Responsibility Disclosure Policy reports vulnerabilities with regards to the safety of NN Group services offered through the internet. In the case that you have discovered a vulnerability in our system, please report this as quickly as possible by sending an email to responsible-disclosure@nn-group.com. Examples could be:
- Injection vulnerabilities (SQL, XPATH, etc.)
- Cross-site Scripting (XSS) vulnerabilities
- Encryption vulnerabilities
- Cross-site request forgery (CSRF)
- Privilege escalation
- Remote code execution
- Open redirect
- etc.
The following finding types are specifically excluded from the program:
- Missing HTTP security headers, specifically:
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- Content-Security-Policy-Report-Only
- SSL/TLS issues, e.g.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL/TLS weak/insecure cipher suites
- Descriptive error messages (e.g. stack traces, application or server errors)
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
- Fingerprinting/banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g. robots.txt, readme.txt, changes.txt)
- CSRF on forms that are available to anonymous users, (e.g. the contact form)
- Logout Cross-Site Request Forgery (logout CSRF)
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Lack of Secure and HTTPOnly and SameSite cookie flags
- Weak Captcha/Captcha Bypass
- Login or Forgot Password page brute force and account lockout not enforced
- OPTIONS HTTP method enabled
- HTTPS Mixed Content Scripts
- (Distributed) Denial of Service attacks
- Out of date software versions (exceptional cases may still be rewarded)
- DNS External Service Interaction
- Mail configuration issues including SPF, DKIM, DMARC settings
- DNSSEC configuration
In addition to in-scope items mentioned above, some additional vulnerability types will be considered in-scope for mobile applications. These include:
Exported components (Activities, Broadcast receivers, Services, File Providers) – only if it can be used to gain unauthorized access to application data or functionality
WebViews (XSS, CSRF, LFI)
Insecure Deeplinks (e.g., routing bypasses, deep link to XSS or RCE can increase the risk)
Authentication (bypass PIN/fingerprint lock on application level)
Insecure Data and File storage (e.g., sensitive data in a world-readable file; API keys, tokens, usernames and passwords)
Insecure Cryptography (e.g., hardcoded encryption keys and IVs)
The following types of bugs do not have a meaningful security impact and will not be accepted.
Decompilation / reverse engineer an application
Any access to data where the targeted user needs to be operating a rooted mobile device
Attacks that require attacker application to have the permission to overlay on top of our mobile app on a non-security-critical screen (e.g., tapjacking)
Lack of certificate pinning (improper certificate validation is eligible)
Previously known vulnerable libraries without a working proof of concept
Lack of jailbreak detection in mobile apps
Lack of Exploit mitigations (e.g., PIE, ARC, or Stack Canaries.)
Apps requesting excessive permissions.
Local temporary Denial of Service (e.g. trigger some function within an app that causes the phone to crash and reboot.)
Note: Only vulnerabilities that work on Android 8.0 / iOS 11 devices (with the most up to date patches) and higher will qualify.
What is responsible-disclosure@nn-group.com not used for?
- Reporting complaints about NN Services & Products
- Questions and complaints about the availability of NN web applications
- Reporting fraud or presumption of fraud
- Reporting fake emails, spam or phishing emails
- Reporting malware
How can vulnerabilities be reported?
A vulnerability can be reported by email: responsible-disclosure@nn-group.com. Please write your email in clear and understandable English. Include the following in your email:
- The entire URL
- Description of the vulnerability
- The steps that are performed (Proof of Concept)
- A possible attack scenario
- Screenshots
Our specialists will read your report and start working on it immediately. If you have found a vulnerability in our web applications, please do not hesitate to contact us.
If you are requested to provide any additional information or evidence that is in your possession, and fail to do so within 30 days, the responsible disclosure report will be denied and not eligible for reward.
Rules
When researching our systems, always act in good faith. You must use discovered vulnerabilities only for your own investigation. Keep the discovered vulnerability confidential until you have agreed upon when and how to disclose the vulnerability with NN Group.
We do not allow you to do security research on our systems and (online) applications that would mate-rially adversely impact the performance or availability, such as:
- (Distributed) Denial of Service (D)DoS attacks
- Exploits to edit, corrupt or delete data
- Any activity that could disrupt our (online) services
- Changes to systems or configurations
- Placement of backdoors in our systems
- Brute-forcing attacks
- Social engineering
- Penetrating the system more than required
- Sharing gained access or discovered vulnerabilities with others
- Use of automatic web application scanners (Burp Suite, OWASP ZAP, Webinspect, etc.)
Please also keep the data of other users safe:
Limit testing to accounts you own and do not impact other users.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Never copy more data than necessary for your investigation.
Contact us immediately if you do inadvertently encounter any personal or sensitive information of other people. Do not view, alter, save, store, share, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to us.
For every finding related to privacy violations we require a confirmation, that all acquired data were deleted and can/will not be reproduced.
Violation of these rules, law, or ethical behaviour, may result in a ban from NN Group N.V. responsible disclosure programme.
Am I eligible for a reward?
If you report vulnerabilities, you may be eligible for a financial reward. The amount of the reward will be determined based on the severity of the vulnerability and the quality of the report.
You will be eligible for a reward if:
The web application belongs to NN Group
Your investigation and report comply with the above mentioned rules
The vulnerability has NOT been reported before by a different ethical hacker
The finding is well-described and documented (Preferably contains Proof of Concept)
The finding is valid
Security vulnerabilities in third-party websites and applications that integrate with NN Group's IT environment do not qualify for a reward
In case you are eligible for a reward, we require your personal information and personal banking account. NN Group N.V. will not pay out your reward to PayPal or other similar services.
In case your reported vulnerability is reported by others as well, the reward will be granted to the first reporter only.
Please note: going public with your findings before fixes are applied and without approval from NN Group N.V., will exclude you in every circumstances from the “reward”.
NN Group N.V. reserves the right to consider as non-eligible reward reports of 0-days and other publicly known vulnerabilities (CVEs) which were disclosed within the last 90 days to the date of your responsible disclosure report.
In case the same vulnerability exists in different server/service/solution, the reward might be paid for this vulnerability only once, if the codebase and the fix are the same. Additionally, for applications that share the same codebase, the reward will be paid only once, unless an environmentally unique vulnerability is discovered. NN Group N.V. reserves the right to make this decision on a case-by-case basis.
What will we do with your finding?
Every report is handled with the same attention. We will respond to you within five working days of receiving your report. We will review, verify and investigate the vulnerability and reward you if the report is eligible. We will fix the vulnerability and may ask you for feedback about the intended solution.
Your Privacy
We respect your privacy. We will only use your contact information for communication with you during the responsible disclosure procedure and also to grant the reward if you are eligible. We will not pass on your personal details to third parties without permission, unless we are required to do so by law, or if an external organization takes over the investigation of your reported vulnerability. In that case, we will make sure that the relevant authority or organization treats your personal information confidentially.
Can I report anonymously?
It is possible to report vulnerabilities anonymously; you do not have to supply contact information when you report a vulnerability. Please be aware that when you report anonymously, we cannot contact you about the credits or your potential reward.
International Law
We would like to point out that this responsible disclosure policy is governed by Dutch law. If you are located in a different country, keep the applicable local law in mind, as other countries may have different laws regarding responsible disclosure. This could mean that you will be subject to local legal recourse or may be subject to agencies enforcing such different local law, even if NN Group does not seek legal recourse or file a report at a law enforcement agency.
Dutch Law
If you discover a vulnerability and investigate it, you might perform actions that are punishable by law. If you abide by the rules of our responsible disclosure policy for reporting the vulnerabilities in our systems, we will not report your offence to the authorities and will not submit a claim.
It is important for you to know, however, that the public prosecutor’s office (Openbaar Ministerie) – not NN Group – will decide whether or not you will be prosecuted, regardless of whether NN Group files a report to the Dutch authorities. NN Group neither represents nor guarantees that you will not be prosecuted if you commit a criminal offence when investigating a vulnerability.
The National Cyber Security Centre of the Ministry of Security and Justice in the Netherlands has created guidelines for reporting weaknesses in IT systems. Our rules are based on these guidelines.