Skip to content
Security

Responsible Disclosure Policy

Program Introduction

Nitro values the contributions of security researchers who help us maintain the safety and security of our users' information. We recognize that even with our best efforts, vulnerabilities can exist. This program encourages responsible disclosure of security issues, allowing us to address them promptly and effectively. As a gesture of appreciation, we offer rewards for qualifying vulnerabilities reported through this program.

 

Scope

This program covers the following Nitro applications:

  • Nitro Pro (Windows, Mac, iOS)
  • Nitro Sign
  • Nitro Admin
  • Workspace
  • Nitro Identity

We prioritize reports of vulnerabilities that have a significant impact on the security of Nitro and its users.

Rules of Engagement

To participate in this program, you must adhere to the following guidelines:

  • Authorized Testing: Only test vulnerabilities on accounts you own or have explicit permission to test against.
  • Proof of Concept Only: Do not exploit vulnerabilities beyond the minimum necessary to demonstrate their existence. Do not use findings to access, modify, or delete data without authorization.
  • Data Protection: Do not store, transfer, or process any sensitive information discovered during testing. Delete all copies of sensitive data immediately after reporting.
  • No Disruptive Activity: Refrain from any activity that could disrupt, damage, or harm Nitro, its brands, or its users. This includes, but is not limited to, social engineering, phishing, physical security attacks, and denial-of-service attacks.
  • In-Scope Targets: Only report vulnerabilities found within the listed applications.
  • Confidentiality: Do not publicly disclose any vulnerability information without Nitro's explicit written permission.
  • First Reporter Priority: We only reward the first reporter of a valid vulnerability.
  • Disqualification: We reserve the right to disqualify anyone engaging in disrespectful or disruptive behavior.

Reporting Requirements

To ensure efficient processing, please provide the following information in your report:

  1. Vulnerability Description: A clear and concise description of the vulnerability.
  2. Reproduction Steps: Detailed, step-by-step instructions on how to reproduce the vulnerability.
  3. Proof of Concept: Screenshots, videos, or other evidence demonstrating the vulnerability's exploitability.
  4. Impact Assessment: A clear explanation of the potential impact of the vulnerability on Nitro and its users.
  5. Proposed CVSSv3 Score (Optional): If possible, provide a proposed CVSSv3 score to help us prioritize the issue.
  6. Affected URLs and Parameters: A list of relevant URLs and affected parameters.
  7. Additional Information: Any other relevant information, such as vulnerable URLs, payloads, or proof-of-concept code.
  8. Testing Environment: The browser, operating system, and/or app version used during testing.
  9. Attachment Handling: Please include all supporting evidence and attachments directly in your report. Do not use external file-hosting services.


Report Submission

Send your report, including all attachments, to security@gonitro.com.


Exclusion List (Out-of-Scope Vulnerabilities)

The following vulnerabilities are considered out of scope and will not be rewarded:

  • Social engineering attacks (phishing, spam).
  • Self-XSS.
  • Missing HTTP security headers (unless they directly enable an exploit).
  • Version disclosure without a demonstrable exploit.
  • Missing cookie flags on non-sensitive cookies.
  • Weak SSL/TLS ciphers without a practical proof of concept.
  • Vulnerabilities affecting outdated browsers or plugins.
  • Username or email enumeration (unless combined with another exploit).
  • HTTP security headers and cookies related issues that don't lead to a direct security impact.
  • Weak password policies.
  • CSRF on anonymous forms.
  • Clickjacking without a demonstrated security impact.
  • Missing security best practices that do not pose a direct security risk.

Legal and General Provisions

  • By participating in this program, you agree to these terms.
  • Nitro will not pursue legal action against researchers who comply with this policy.
  • Rewards may be subject to applicable taxes.
  • Nitro reserves the right to modify or terminate this program at any time.
  • Individuals prohibited by law from receiving rewards are ineligible.
  • Nitro employees and their immediate family members are ineligible.
icon of a user with security shield

Contact Nitro's Security Team

For any questions or clarifications, please contact the Nitro Security Team via email at security@gonitro.com.
Email the Security Team
Icon-48px-Scalable flexibility-1

Product Release Notes & Security Updates

Review recent feature releases and security updates related to Nitro's products.
View Release Notes & Security Updates

See what Nitro can do for you

Take the next step to digital success today.

Icon-48px-Rapid Support

Contact sales

Talk to our experts about your business needs, and explore cost-effective options for Nitro's world-class PDF and eSign solutions.
Get in touch
Icon-48px-Smart signing

Free trial

Try Nitro’s PDF and eSign solutions to edit, sign, and organize documents effortlessly—free for 14 days!
Start your free trial
icon of people with a plus sign

Become a partner

Learn about our exciting partner opportunities for Nitro's trusted document solutions.
Partner with Nitro today