Responsible Disclosure Policy
Program Introduction
Nitro values the contributions of security researchers who help us maintain the safety and security of our users' information. We recognize that even with our best efforts, vulnerabilities can exist. This program encourages responsible disclosure of security issues, allowing us to address them promptly and effectively. As a gesture of appreciation, we offer rewards for qualifying vulnerabilities reported through this program.
Scope
This program covers the following Nitro applications:
- Nitro Pro (Windows, Mac, iOS)
- Nitro Sign
- Nitro Admin
- Workspace
- Nitro Identity
We prioritize reports of vulnerabilities that have a significant impact on the security of Nitro and its users.
Rules of Engagement
To participate in this program, you must adhere to the following guidelines:
- Authorized Testing: Only test vulnerabilities on accounts you own or have explicit permission to test against.
- Proof of Concept Only: Do not exploit vulnerabilities beyond the minimum necessary to demonstrate their existence. Do not use findings to access, modify, or delete data without authorization.
- Data Protection: Do not store, transfer, or process any sensitive information discovered during testing. Delete all copies of sensitive data immediately after reporting.
- No Disruptive Activity: Refrain from any activity that could disrupt, damage, or harm Nitro, its brands, or its users. This includes, but is not limited to, social engineering, phishing, physical security attacks, and denial-of-service attacks.
- In-Scope Targets: Only report vulnerabilities found within the listed applications.
- Confidentiality: Do not publicly disclose any vulnerability information without Nitro's explicit written permission.
- First Reporter Priority: We only reward the first reporter of a valid vulnerability.
- Disqualification: We reserve the right to disqualify anyone engaging in disrespectful or disruptive behavior.
Reporting Requirements
To ensure efficient processing, please provide the following information in your report:
- Vulnerability Description: A clear and concise description of the vulnerability.
- Reproduction Steps: Detailed, step-by-step instructions on how to reproduce the vulnerability.
- Proof of Concept: Screenshots, videos, or other evidence demonstrating the vulnerability's exploitability.
- Impact Assessment: A clear explanation of the potential impact of the vulnerability on Nitro and its users.
- Proposed CVSSv3 Score (Optional): If possible, provide a proposed CVSSv3 score to help us prioritize the issue.
- Affected URLs and Parameters: A list of relevant URLs and affected parameters.
- Additional Information: Any other relevant information, such as vulnerable URLs, payloads, or proof-of-concept code.
- Testing Environment: The browser, operating system, and/or app version used during testing.
- Attachment Handling: Please include all supporting evidence and attachments directly in your report. Do not use external file-hosting services.
Report Submission
Send your report, including all attachments, to security@gonitro.com.
Exclusion List (Out-of-Scope Vulnerabilities)
The following vulnerabilities are considered out of scope and will not be rewarded:
- Social engineering attacks (phishing, spam).
- Self-XSS.
- Missing HTTP security headers (unless they directly enable an exploit).
- Version disclosure without a demonstrable exploit.
- Missing cookie flags on non-sensitive cookies.
- Weak SSL/TLS ciphers without a practical proof of concept.
- Vulnerabilities affecting outdated browsers or plugins.
- Username or email enumeration (unless combined with another exploit).
- HTTP security headers and cookies related issues that don't lead to a direct security impact.
- Weak password policies.
- CSRF on anonymous forms.
- Clickjacking without a demonstrated security impact.
- Missing security best practices that do not pose a direct security risk.
Legal and General Provisions
- By participating in this program, you agree to these terms.
- Nitro will not pursue legal action against researchers who comply with this policy.
- Rewards may be subject to applicable taxes.
- Nitro reserves the right to modify or terminate this program at any time.
- Individuals prohibited by law from receiving rewards are ineligible.
- Nitro employees and their immediate family members are ineligible.
Contact Nitro's Security Team
Product Release Notes & Security Updates
See what Nitro can do for you
Take the next step to digital success today.