Nimbox Vault is built securely, from the ground up. We can’t access your data, and we’re transparent about how we protect it.
Vulnerability reportingYou trust us to encrypt and store your data. We take this trust very seriously. We thoroughly investigate all reported security vulnerabilities, and aim to make this process as transparent as possible.
What our programme coversOur security programme includes our platform, public web assets, and third party services (but only where the attack can exploit our customers directly). Please don’t submit reports derived from automatic scanning tools, such as SSL Labs; we scan our systems regularly, and will already be aware of (and be in the process of fixing) these issues. Additionally, attacks that only affect individual user accounts (such as self-XSS), the presence of application or web browser ‘autocomplete’ messages, Logout Cross-Site Request Forgeries, banner disclosure on public services, issues only exploitable through clickjacking, and descriptive error messages, are not covered.
In scope assetsvault.nimbox.co.uk sync.nimbox.co.uk
Not in scope assets (unless the attack can exploit our customers directly)www.nimbox.co.uk support.nimbox.co.uk status.nimbox.co.uk developer.nimbox.co.uk
How to report a security vulnerabilityTo contact the Nimbox Security Team, please email firstname.lastname@example.org. Please note, no cash rewards are given out.
What to tell usWhen contacting our Security Team, try to include information that we can use to replicate the issue (e.g. configuration details, a proof-of-concept, or exploit code). Please read our security programme’s scope before submitting your report, as only in-scope reports will be accepted.
What happens nextWe aim to respond to all vulnerability reports within 24 hours. We will then provide you with updates every 20 working days. The Security Team reviews all reported vulnerabilities and takes steps to validate and reproduce them. If more information is needed, we will work with you until such a time that the vulnerability can be validated. Once the review is complete, and the vulnerability has been confirmed, the results will be sent to you along with information about its resolution and any subsequent public disclosure. Public disclosures will be made on our blog. We realise that individuals, businesses and organisations usually publish vulnerabilities on their websites, and if possible, we’d like to publish our respective public disclosures simultaneously. We don’t give out any financial rewards, but as a thank you for letting us know about any valid vulnerabilities, we’ll send you some limited edition stickers and add your name to our security researcher’s wall of fame, below:
You guys rockThe security researchers below have reported security vulnerabilities to us, helping to make the internet a safer place.
Shivam Kumar Agarwal
Babar Khan Akhunzada
Kanhaiya Kumar Singh
Mehedi Hasan (SecMiners BD)
André Nel (JFX Tech)