Policy Re Reporting Potential Information Security Vulnerabilities

1. Introduction

At Nightingale Software we take the security and privacy of our customers’ data and systems (and the security and privacy of the data of our Customer’s clients) very seriously. We recognise that security researchers and members of the wider community can play a crucial role in helping us identify and address potential security vulnerabilities. This Policy re Reporting Potential Information Security Vulnerabilities outlines the guidelines for reporting potential security vulnerabilities in our products and services.

2. Guidelines

To ensure a positive and responsible reporting process, we kindly request that you adhere to the following guidelines:

  • Perform research only within the scope set out below.
  • Use our provided communication channel to report any potential vulnerability.
  • Your research and reporting should comply with all applicable laws and regulations.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
  • Keep information about the potential vulnerability confidential until we have had sufficient time to confirm if it is a vulnerability and, if so, to address it.

3. How to report a potential vulnerability

If you discover a potential security vulnerability in any of our products or services, we encourage you to report it to us promptly.

Please send an email to security@nightingalesoftware.com.au with the subject line “Potential Security Vulnerability” and include the following:

  • A detailed description of the potential vulnerability, including the affected product or service, the specific issue, and any supporting evidence.
  • If possible, include steps to reproduce the potential vulnerability or a proof-of-concept (PoC) to help us understand the issue better.
  • Include your contact information, such as your name and a method to reach you.

Information you should not send us:

Personally identifiable information (PII), which is any information connected to a specific individual that can be used to uncover that individual’s identity, such as their medicate number, full name, email address or phone number. Please also do not sent any credit card holder data or personal financially related information.

4. Our Commitment

If you follow our guidelines for responsible reporting, we commit to:

  • Not pursue or support any legal action related to your research.
  • Upon receiving your report, we will acknowledge its receipt within 72 hours.
  • Our security team will investigate the reported potential vulnerability to verify its validity and assess the severity and potential impact.
  • We will work diligently to confirm the vulnerability and, if confirmed, resolve the issue as quickly as possible.
  • We will keep you informed of the progress throughout the process.
  • Provide recognition of your contribution towards the security of our products.

Our commitment extends to not pursuing legal action against security researchers who follow this policy in good faith and report potential security vulnerabilities to us responsibly. We expect that you do not engage in any harmful or illegal activities within or as a result of your research.

5. Recognition

We are committed to giving credit to individuals or organisations who responsibly disclose vulnerabilities, subject to their preferences and applicable laws. A list of contributors will be posted publicly on our website.

While we are grateful for vulnerability reports, we do not offer a monetary reward program.

6. Scope

This policy pertains to any potential digital vulnerabilities in any domain, subdomain, software, or service operated by Nightingale Software.

Exclusions

Any services hosted by 3rd party providers are excluded from scope. These services include but are not limited to Microsoft Azure and Microsoft 365.

The following vulnerability types are also excluded from the scope of this Policy:

  • Weak or insecure SSL ciphers or certificates.
  • Misconfigured or missing DNS records, including, but not limited to SPF (sender policy framework) or DMARC (domain-based message authentication, reporting and compliance).
  • Clickjacking

UI and UX ‘bugs’ and spelling mistakes and not potential security vulnerabilities and should not be reported via the mechanism specified in this policy.  Such items should be reported to Nightingale separately.

To prioritise the safety of our customers, their clients, our staff, our Customers’ staff, the broader Internet community, and your role as a security researcher, we’ve identified the following test types that are prohibited:

  • Social engineering or phishing attacks against our employees, customers, or partners.
  • Physical attacks against company property or data centres.
  • Attempts to modify, destroy or exfiltrate data.
  • Distributed Denial of Service (DDoS) attacks.
  • Testing against third-party applications, websites, or services not owned or operated by Nightingale Software.
  • The leveraging of automated vulnerability assessment tools.

7. Amendments

This Policy re Reporting Potential Information Security Vulnerabilities may be updated from time to time.

Thank you for your commitment to helping us improve the security of our products and services.