Vulnerability Disclosure Policy

1. Introduction

At Nightingale Software we take the security and privacy of our customers’ data and systems very seriously. We recognise that security researchers and members of the wider community can play a crucial role in helping us identify and address security vulnerabilities. This Vulnerability Disclosure Policy outlines the guidelines for reporting security vulnerabilities in our SaaS products and services.

2. Guidelines

To ensure a positive and responsible disclosure process, we kindly request that you adhere to the following guidelines: 

  • Perform research only within the scope set out below. 
  • Use our provided communication channel to report the vulnerability. 
  • Your research and disclosure should comply with all applicable laws and regulations. 
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing. 
  • Keep information about the vulnerability confidential until we have had sufficient time to address it. 

3. How to report a vulnerability

If you discover a security vulnerability in any of our SaaS products or services, we encourage you to report it to us promptly.  

Please send an email to security@nightingalesoftware.com.au with the subject line “Security Vulnerability Report.” and include the following: 

  • A detailed description of the vulnerability, including the affected product or service, the specific issue, and any supporting evidence. 
  • If possible, include steps to reproduce the vulnerability or a proof-of-concept (PoC) to help us understand the issue better. 
  • Include your contact information, such as your name and a method to reach you. 

Information we do not want to receive: 

Personally identifiable information (PII) 

Any credit card holder data or personal financially-related information 

4. Our Commitment

If you follow our guidelines for responsible disclosure, we commit to: 

  • Not pursue or support any legal action related to your research. 
  • Upon receiving your report, we will acknowledge its receipt within 72 hours. 
  • Our security team will investigate the reported vulnerability to verify its validity, and assess the severity and potential impact.
  • We will work diligently to resolve the issue as quickly as possible. 
  • We will keep you informed of the progress throughout the process. 
  • Provide recognition of your contribution towards the security of our products. 

Our commitment extends to not pursuing legal action against security researchers who follow this policy in good faith and report security vulnerabilities to us responsibly. We expect that you do not engage in any harmful or illegal activities within or as a result of your research. 

5. Recognition

We are committed to giving credit to individuals or organisations who responsibly disclose vulnerabilities, subject to their preferences and applicable laws. A list of contributors will be posted publicly on our website. 

While we are grateful for vulnerability reports we do not offer a monetary reward program.  

6. Scope

This policy pertains to any digital vulnerabilities in any domain, subdomain, software, or service operated by Nightingale Software. 

Exclusions 

To prioritise the safety of our clients, staff, the broader Internet community, and your role as a security researcher, we’ve identified the following test types that are prohibited: 

  • Social engineering or phishing attacks against our employees, customers, or partners. 
  • Physical attacks against company property or data centres. 
  • Distributed Denial of Service (DDoS) attacks. 
  • Testing against third-party applications, websites, or services not owned or operated by Nightingale Software. 
  • Any services hosted by 3rd party providers are excluded from scope. These services include but are not limited to Microsoft Azure and Microsoft 365. 
  • UI and UX bugs and spelling mistakes.

7. Amendments

This Vulnerability Disclosure Policy may be updated from time to time. Please review the latest version on our website. Thank you for your commitment to helping us improve the security of our SaaS products and services.