Table of content

What is in scope?

NT-ware invites security researchers to help strengthen NT-ware and our product offering by proactively reporting security vulnerabilities and weaknesses. NT-ware, as part of the Canon Group, will work with the Canon PSIRT team on all submissions.

Domains in scope

The table below lists all domains included as part of the NT-ware Vulnerability Disclosure Policy:

*.nt-ware.com *nt-ware.net
*.uniflowonline.com *.uniflow.global
*.buildit-global.com *uniflow-demo.com
*.ulmtracker.com *.syshub.global
Products in scope
  • uniFLOW server
  • uniFLOW Online
  • uniFLOW sysHUB
  • uniFLOW Embedded Applets
  • uniFLOW Release Station
  • microMIND V2

Reporting a vulnerability

You can report weaknesses to us by email: product-security@nt-ware.com, stating concisely what weakness(es) you have found with as much detail as possible, together with any evidence you might have. Be aware that NT-ware is part of the Canon Group and, as such, works closely with the Canon PSIRT team. Responses to submitted VDPs may come from either organization as part of our triage and response process.

Please include the following information in your email:

  • The type of vulnerability.
  • The step-by-step instructions on how to reproduce the vulnerability.
  • The approach you undertook.
  • The entire URL.
  • Objects (as filters or entry fields) possibly involved.
  • Screen shots are highly appreciated.
  • Please provide your IP address. This will be confidential; NT-ware will use this information to track your testing activities and review the logs.
What is not acceptable?
  • Volumetric/ denial of service vulnerabilities i.e. simply overwhelming our service with a high volume of requests.
  • TLS configuration weaknesses e.g. "weak" cipher suite support, TLS1.0 support, sweet32, etc.
  • "Self" XSS.
  • Mixed Content Scripts on www.nt-ware.*
  • Insecure Cookies on www.nt-ware.*
  • CSRF and CLRF attacks, where the resulting impact is minimal.
  • HTTP Host Header XSS without working proof-of-concept.
  • Incomplete/ missing SPF/ DMARC/ DKIM.
  • Social engineering attacks.
  • Security bugs in third-party websites that integrate with NT-ware websites.
  • Network data enumeration techniques e.g. banner grabbing, publicly available server diagnostic pages.
  • Reports indicating that our services do not fully align with "best practice."
  • Automated software scanners output.

What do we do with your report?

  • The Canon PSIRT team will review the reported vulnerability and collaborate with the NT-ware Security team to validate and categorize the findings.
  • The reporter can expect an acknowledgment of receipt from us within 3 business days after receiving the initial submission. Please be advised that we may not respond to every report.
Your privacy

We will only use your personal details when considering what action to take based on your report. We will not share your personal information with others without your express permission. Further information regarding our privacy policy can be found at the bottom of this page.

Reporting criteria

Potentially illegal actions

If you discover a weakness and investigate it, you should be aware that you may take actions that are punishable by law. Provided you follow the rules and principles below when reporting weaknesses in our IT systems, NT-ware will not report your offense to the authorities and will not submit a claim.

However, you need to know that the public prosecutor's office – not NT-ware – may decide to prosecute you, even if NT-ware has not reported your offense to the authorities. I.e., NT-ware cannot guarantee that you will not be prosecuted if you commit a punishable offense while investigating a weakness.

The National Cyber Security Centre of the Ministry of Security and Justice in the Netherlands has issued guidelines for reporting weaknesses in IT systems. NT-ware’s rules are based on these guidelines.

General principles

Take responsibility and act with extreme caution. When investigating the matter, use only the methods or techniques necessary to identify or demonstrate weaknesses.

You must not:

  • Violate any law or regulations.
  • Access unnecessary, excessive, or significant amounts of data.
  • Copy more than you need. If one record is sufficient, do not go any further.
  • Modify data in NT-ware's systems or services.
  • Use high-intensity invasive or destructive scanning tools to identify vulnerabilities.
  • Attempt or report any form of denial of service e.g. overwhelming a service with a high volume of requests.
  • Disrupt or alter NT-ware's services, systems, or information.
  • Demand financial compensation in order to disclose any vulnerabilities.
  • Publicly disclose any resolved vulnerability report without prior written consent from NT-ware.
  • Use any weaknesses you detect for purposes other than your own research.
  • Use social engineering to gain access to a system.
  • Install any back doors – not even to demonstrate the vulnerability of a system - as they will weaken the system's security.
  • Use brute force techniques e.g. repeatedly entering passwords to gain access to systems.
  • Use a Denial of Service (DoS) type of attack to gain access.

You must:

  • Securely delete all data retrieved during your research as soon as it's no longer needed or within one month of resolving the vulnerability - whichever occurs first or as otherwise required by data protection law.
  • Always comply with data protection rules and do not violate the privacy of NT-ware's users, staff, contractors, services, or systems i.e. you must not share, redistribute, or fail to secure data retrieved from the systems or services correctly.
  • Only infiltrate a system if it is really necessary to do so.
  • Do not share access with others if you manage to infiltrate a system.

Frequently asked questions

Do you have a bug bounty program?

We do not conduct a bug bounty program. Accordingly, please acknowledge that there is no expectation of payment or compensation and that any future right to claim related to the submitted report is waived.

Am I allowed to publicize the results of my investigation?

Never publicize weaknesses in NT-ware IT systems, products, or your research without consulting us first. Canon PSIRT and the NT-ware teams will work with you to ensure you are appropriately recognized in any public notifications for your efforts.

Can I report a weakness anonymously?

Yes, you can. You do not have to disclose your name and contact details when you report a weakness. Please realize, however, that NT-ware will be unable to consult with you regarding follow-up actions or further collaboration.