Vulnerability reporting.

Nimbox Vault is built securely, from the ground up. We can’t access your data, and we’re transparent about how we protect it.

Vulnerability reporting

You trust us to encrypt and store your data. We take this trust very seriously. We thoroughly investigate all reported security vulnerabilities, and aim to make this process as transparent as possible.

What our programme covers

Our security programme includes our platform, public web assets, and third party services (but only where the attack can exploit our customers directly). Please don’t submit reports derived from automatic scanning tools, such as SSL Labs; we scan our systems regularly, and will already be aware of (and be in the process of fixing) these issues. Additionally, attacks that only affect individual user accounts (such as self-XSS), the presence of application or web browser ‘autocomplete’ messages, Logout Cross-Site Request Forgeries, banner disclosure on public services, issues only exploitable through clickjacking, and descriptive error messages, are not covered.

In scope assets

vault.nimbox.co.uk sync.nimbox.co.uk

Not in scope assets (unless the attack can exploit our customers directly)

www.nimbox.co.uk support.nimbox.co.uk status.nimbox.co.uk developer.nimbox.co.uk

How to report a security vulnerability

To contact the Nimbox Security Team, please email security@nimbox.co.ukPlease note, no cash rewards are given out.

What to tell us

When contacting our Security Team, try to include information that we can use to replicate the issue (e.g. configuration details, a proof-of-concept, or exploit code). Please read our security programme’s scope before submitting your report, as only in-scope reports will be accepted.

What happens next

We aim to respond to all vulnerability reports within 24 hours. We will then provide you with updates every 20 working days. The Security Team reviews all reported vulnerabilities and takes steps to validate and reproduce them. If more information is needed, we will work with you until such a time that the vulnerability can be validated. Once the review is complete, and the vulnerability has been confirmed, the results will be sent to you along with information about its resolution and any subsequent public disclosure. Public disclosures will be made on our blog. We realise that individuals, businesses and organisations usually publish vulnerabilities on their websites, and if possible, we’d like to publish our respective public disclosures simultaneously. We don’t give out any financial rewards, but as a thank you for letting us know about any valid vulnerabilities, we’ll send you some limited edition stickers and add your name to our security researcher’s wall of fame, below:

You guys rock

The security researchers below have reported security vulnerabilities to us, helping to make the internet a safer place.
Shivam Kumar Agarwal
Pradeep Kumar
Mansouri Badis
Charfeddine Hamdi
Konduru Jashwanth
Muhammad Osama
Zee Shan
Suyog Palav
Ali BawazeEer
Babar Khan Akhunzada
Nithish Varghese
Ashish Padelkar
Ross Bingham
Tinu Tomy
Rayen Messaoudi
Pethuraj M
Prakash Kumar
Parthasarathy
Shubham Garg
Mahendra Purbia
Sunita Sharma
Kanhaiya Kumar Singh
Mehedi Hasan (SecMiners BD)
Virendra Tiwari
Vibhisha Ghodasara
Sureshkumar Anbazhagan
Ayan Saha
Farah Hawa
Keshav Malik
Dawid Granacki
Chetan Pathade
André Nel (JFX Tech)