Version: 1.1
Adopted: 07 October 2022
1. Purpose
1.1 If you think you have found a potential vulnerability in our systems please tell us as quickly as possible by contacting us. We are grateful for the information you can share with us in order to further improve our systems and it’s security.
1.2 For the purposes of this policy, any of our sites, products, services, tools, programs, devices, network, or any other hardware/software, shall collectively referred to “systems” within this policy.
1.3 This policy gives researchers, users, and visitors a means of contact to directly contact us if they believe they have found a potential security vulnerability within.
1.4 The security of our systems and the data we are responsible for is our top priority, and we take substantial measures to keep them secure. Despite our best efforts, there may still be vulnerabilities.
1.5 By making a submission, you are agreeing to the terms of this policy which are intended to protect both you and us, and our users.
2. How to submit a vulnerability to us
2.1 Please submit all vulnerability reports to us by email to the email address SecurityDisclosure@nexuspoly.tech. In each submission please include:
A) a clear description of the vulnerability;
B) the particulars related to the vulnerability (such as IP addresses, URLs, port, input data, device port, inputs, or other information) that would assist us in locating and identifying the vulnerability;
C) detailed steps to reproduce the issue including screenshots, logs, pages, photos, code, responses, videos, proof of concepts, or any other evidence;
D) how you identified/discovered the vulnerability;
E) any steps you would suggest to fix the issue; (if applicable)
F) your name (or handle) and contact details.
2.2 If your submission requires multiple emails to attach large files, please send us multiple emails with the various attachments. If your attachments are too large and voluminous, please make your submission without the attachments and we will reply to you with a secure upload link.
2.3 Within this policy, any submission made in accordance with the process in clause 2 of this policy is referred to as a ‘submission’. Any reference to ‘submission’ or ‘submissions’ shall mean the data communicated to us within the process defined in clause 2 of this policy.
3. What this policy covers
3.1 This policy covers any sites, products, services, tools, programs, devices, network, or any other hardware/software which is:
A) wholly or partially owned by Nexus Polytech, and/or any of its subsidiaries or associated entities;
B) wholly or partially operated by Nexus Polytech, and/or any of its subsidiaries or associated entities.
4. What this policy does not cover
4.1 This policy does not cover any malicious planned, assisted, attempted, and/or successful attacks of the following nature on and/or towards our systems:
- denial of service (DoS)
- distributed denial of service (DDoS)
- ransom attacks
- clickjacking
- reverse engineering
- social engineering
- phishing
- code injection
- cross site scripting (XSS)
- exposure of any private keys
- breaking of ciphers
- physical attacks
- modification or destruction of data or information
- theft or sale of data or information
.
4.2 This policy does not apply to any of the systems of our clients, partners, or which are not owned by us but may be managed or operated by us.
5. What happens after you make a submission
5.1 We need time to investigate and mitigate any vulnerability. You must not make your research or any details of the vulnerability public as we may not have finished our investigations and fixed or mitigated the vulnerability.
5.2 After making a submission, which we will review your submission and reply to you as soon as we can.
5.3 We will contact you to:
A) keep you updated of our investigation and mitigation progress with as much information as we are able to disclose and as soon as we are able to;
B) agree upon the details and date for public disclosure;
C) credit you for your discovery of the vulnerability (unless you prefer us not to);
D) Collect your details to provide you any compensation or bug bounty (if any is/was set).
6. Safe harbour protections
6.1 Thank you for sharing information about a security vulnerability with us.
6.2 If you submit a vulnerability report to us, using the process outlined in this policy and in compliance with all of the terms in this policy, we will not pursue civil action or initialize a complaint to any law enforcement agency against you for accessing our systems without authorisation in order to identify that vulnerability.
6.3 As soon as you have identified the vulnerability, you must stop all testing of it and report it immediately as described in this policy.
6.4 These safe harbour protections do not apply to any of the activities or systems referred to in clause 4 of this policy.
7. Deletion of data
7.1 After making a submission in accordance with this policy, you are required to delete any data related to the vulnerability, including any unauthorised data you may have accessed in discovering the vulnerability, as well as steps to reproduce the vulnerability.
7.2 If at any time you inadvertently acquired, accessed, or collected any data you were not authorised to access, you must delete that data.
7.3 The deletion of data in accordance with this clause must be done in a secure way that does not permit recovery of said data.
8. Ownership and liability
8.1 You agree that all information submitted to us relating to a vulnerability becomes the legal property of Nexus Polytech.
8.2 You agree that by making a submission you transfer to us all legal rights and intellectual property rights for the following data related to a submission and the related vulnerability:
- screenshots
- images
- proofs of concept
- writing
- explanations
- suggestions
- code
- invention
- patches
- improvements
- any other related information
- any other related creation
8.3 We do not grant you any legal rights or intellectual property rights to any of the data listed in clause 8.2 of this policy.
8.4 You grant us a worldwide, royalty-free, fully paid-up, perpetual license to use in any way any information you submit in connection with a vulnerability for:
A) integration and adoption into our systems;
B) data analysis and research purposes;
C) further investigation and testing;
D) analysis, remediation, mitigation or improvement to our systems;
E) business purposes connected to or relating to us, now or in the future.
8.5 Nexus Polytech, its subsidiaries, related entities, employees, staff, affiliates, and/or representatives will not be liable for any direct, indirect, incidental, wilful, and/or consequential damages by you in relation to this policy.
8.6 Unless otherwise agreed in writing, any information submitted by you in relation to a vulnerability is provided to us at no charge.
8.7 Unless otherwise stated in writing, we shall not owe you any fee or compensation for your submission or any services performed or expenses incurred in the discovery and/or submission processes.
9. Your obligations
9.1 Nothing regarding your submission or the vulnerability shall imply, indicate, or express the you are an employee of Nexus Polytech. The relationship between you and us shall not constitute a partnership, joint venture, or agency.
9.2 You are not permitted to disclose, make statements, or publish anything related to the vulnerability unless you are given explicit written permission by us to do so.
9.3 You shall not have the authority to make any comment, statement, representation or commitment on our behalf.
9.4 All communications between you and us related to this vulnerability shall be confidential and not for public disclosure, unless you are given explicit written permission by us to do so.
9.5 You shall not use our name, logo , icon, any of our trademarks, or any of our branding/identity assets without our explicit written prior consent.
9.6 Unless otherwise stated, we will not compensate you for finding any potential or verified vulnerabilities.
9.7 You agree that you have not, and agree that you will not, misuse any data taken from our systems for any unlawful, unethical, malicious, fraudulent, abusive, threatening, defamatory, or otherwise improper purpose.
10. Other terms
10.1 This policy shall be governed by the laws of the Commonwealth of Australia, without regard to conflict of laws principles, and any disputes shall be settled in a court of Australia.
10.2 We reserve the right, in our sole discretion, to modify or amend the terms of this policy, or to terminate any or all of them at any time, without prior notice, explanation, or justification.