Nimbox Vault is built securely, from the ground up. We can’t access your data, and we’re transparent about how we protect it.
You trust us to encrypt and store your data. We take this trust very seriously. We thoroughly investigate all reported security vulnerabilities, and aim to make this process as transparent as possible.
What our programme covers
Our security programme includes our platform, public web assets, and third party services (but only where the attack can exploit our customers directly).
Please don’t submit reports derived from automatic scanning tools, such as SSL Labs; we scan our systems regularly, and will already be aware of (and be in the process of fixing) these issues.
Additionally, attacks that only affect individual user accounts (such as self-XSS), the presence of application or web browser ‘autocomplete’ messages, Logout Cross-Site Request Forgeries, banner disclosure on public services, issues only exploitable through clickjacking, and descriptive error messages, are not covered.
In scope assets
Not in scope assets (unless the attack can exploit our customers directly)
How to report a security vulnerability
To contact the Nimbox Security Team, please email firstname.lastname@example.org.
What to tell us
When contacting our Security Team, try to include information that we can use to replicate the issue (e.g. configuration details, a proof-of-concept, or exploit code). Please read our security programme’s scope before submitting your report, as only in-scope reports will be accepted.
What happens next
We aim to respond to all vulnerability reports within 24 hours. We will then provide you with updates every 20 working days.
The Security Team reviews all reported vulnerabilities and takes steps to validate and reproduce them. If more information is needed, we will work with you until such a time that the vulnerability can be validated.
Once the review is complete, and the vulnerability has been confirmed, the results will be sent to you along with information about its resolution and any subsequent public disclosure.
Public disclosures will be made on our blog. We realise that individuals, businesses and organisations usually publish vulnerabilities on their websites, and if possible, we’d like to publish our respective public disclosures simultaneously.
We’ll let you know if a reward will be issued for the bug that you report. Rewards are issued at our sole discretion, and we don’t guarantee that your report will result in a reward being issued.
You guys rock
The security researchers below have reported security vulnerabilities to us, helping to make the internet a safer place.
Shivam Kumar Agarwal
Babar Khan Akhunzada