Skip to main content

Ethical hacking & NN Group’s Responsible Disclosure Policy

NN Group N.V. and its subsidiaries (hereafter NN Group) find it important that clients can use online services and applications safely and in a secure manner at all times. Despite our efforts to keep our IT systems secure, you may discover security vulnerabilities in our internet-facing IT environment. We would appreciate your help in disclosing this information to us in a responsible manner.

What to report

The Responsibility Disclosure Policy reports vulnerabilities with regards to the safety of NN Group services offered through the internet. In the case that you have discovered a vulnerability in our system, please report this as quickly as possible by sending an email. Examples could be:

  • Injection vulnerabilities (SQL, XPATH, etc.)

  • Cross-site Scripting (XSS) vulnerabilities

  • Encryption vulnerabilities

  • Cross-site request forgery (CSRF)

  • Privilege escalation

  • Remote code execution

  • Open redirect

  • etc.

    • The following finding types are specifically excluded from the program:

  • Missing HTTP security headers, specifically:

  • Strict-Transport-Security

  • X-Frame-Options

  • X-XSS-Protection

  • X-Content-Type-Options

  • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP

  • Content-Security-Policy-Report-Only

  • SSL/TLS issues, e.g.

  • SSL Attacks such as BEAST, BREACH, Renegotiation attack

  • SSL Forward secrecy not enabled

  • SSL/TLS weak/insecure cipher suites

  • Descriptive error messages (e.g. stack traces, application or server errors)

  • HTTP 404 codes/pages or other HTTP non-200 codes/pages

  • Fingerprinting/banner disclosure on common/public services

  • Disclosure of known public files or directories, (e.g. robots.txt, readme.txt, changes.txt)

  • CSRF on forms that are available to anonymous users, (e.g. the contact form)

  • Logout Cross-Site Request Forgery (logout CSRF)

  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality

  • Lack of Secure and HTTPOnly and SameSite cookie flags

  • Weak Captcha/Captcha Bypass

  • Login or Forgot Password page brute force and account lockout not enforced

  • OPTIONS HTTP method enabled

  • HTTPS Mixed Content Scripts

  • (Distributed) Denial of Service attacks

  • Out of date software versions (exceptional cases may still be rewarded)

  • DNS External Service Interaction

  • Mail configuration issues including SPF, DKIM, DMARC settings

  • DNSSEC configuration

    • In addition to in-scope items mentioned above, some additional vulnerability types will be considered in-scope for mobile applications. These include:

  • Exported components (Activities, Broadcast receivers, Services, File Providers) – only if it can be used to gain unauthorized access to application data or functionality

  • WebViews (XSS, CSRF, LFI)

  • Insecure Deeplinks (e.g., routing bypasses, deep link to XSS or RCE can increase the risk)

  • Authentication (bypass PIN/fingerprint lock on application level)

  • Insecure Data and File storage (e.g., sensitive data in a world-readable file; API keys, tokens, usernames and passwords)

  • Insecure Cryptography (e.g., hardcoded encryption keys and IVs)

    • The following types of bugs do not have a meaningful security impact and will not be accepted:

  • Decompilation / reverse engineer an application

  • Any access to data where the targeted user needs to be operating a rooted mobile device

  • Attacks that require attacker application to have the permission to overlay on top of our mobile app on a non-security-critical screen (e.g., tapjacking)

  • Lack of certificate pinning (improper certificate validation is eligible)

  • Previously known vulnerable libraries without a working proof of concept

  • Lack of jailbreak detection in mobile apps

  • Lack of Exploit mitigations (e.g., PIE, ARC, or Stack Canaries.)

  • Apps requesting excessive permissions.

  • Local temporary Denial of Service (e.g. trigger some function within an app that causes the phone to crash and reboot.)

    • Note: Only vulnerabilities that work on Android 8.0 / iOS 11 devices (with the most up to date patches) and higher will qualify.

    Contact

    What is responsible-disclosure@nn-group.com not used for?

  • Reporting complaints about NN Services & Products

  • Questions and complaints about the availability of NN web applications

  • Reporting fraud or presumption of fraud

  • Reporting fake emails, spam or phishing emails

  • Reporting malware

    • How can vulnerabilities be reported?

    A vulnerability can be reported by email: responsible-disclosure@nn-group.com. Please write your email in clear and understandable English. Include the following in your email:

  • The entire URL

  • Description of the vulnerability

  • The steps that are performed (Proof of Concept)

  • A possible attack scenario

  • Screenshots

    • Our specialists will read your report and start working on it immediately. If you have found a vulnerability in our web applications, please do not hesitate to contact us.

    If you are requested to provide any additional information or evidence that is in your possession, and fail to do so within 30 days, the responsible disclosure report will be denied and not eligible for reward.

    Am I eligible for a reward?

    If you report vulnerabilities, you may be eligible for a financial reward. The amount of the reward will be determined based on the severity of the vulnerability and the quality of the report.

  • You will be eligible for a reward if:

  • The web application belongs to NN Group

  • Your investigation and report comply with the above mentioned rules

  • The vulnerability has NOT been reported before by a different ethical hacker

  • The finding is well-described and documented (Preferably contains Proof of Concept)

  • The finding is valid

    • Security vulnerabilities in third-party websites and applications that integrate with NN Group's IT environment do not qualify for a reward

    In case you are eligible for a reward, we require your personal information and personal banking account. NN Group N.V. will not pay out your reward to PayPal or other similar services.

    In case your reported vulnerability is reported by others as well, the reward will be granted to the first reporter only.

    Please note: going public with your findings before fixes are applied and without approval from NN Group N.V., will exclude you in every circumstances from the “reward”.

    NN Group N.V. reserves the right to consider as non-eligible reward reports of 0-days and other publicly known vulnerabilities (CVEs) which were disclosed within the last 90 days to the date of your responsible disclosure report.

    In case the same vulnerability exists in different server/service/solution, the reward might be paid for this vulnerability only once, if the codebase and the fix are the same. Additionally, for applications that share the same codebase, the reward will be paid only once, unless an environmentally unique vulnerability is discovered. NN Group N.V. reserves the right to make this decision on a case-by-case basis.

    What will we do with your finding?

    Every report is handled with the same attention. We will respond to you within five working days of receiving your report. We will review, verify and investigate the vulnerability and reward you if the report is eligible. We will fix the vulnerability and may ask you for feedback about the intended solution.

    Your Privacy

    We respect your privacy. We will only use your contact information for communication with you during the responsible disclosure procedure and also to grant the reward if you are eligible. We will not pass on your personal details to third parties without permission, unless we are required to do so by law, or if an external organization takes over the investigation of your reported vulnerability. In that case, we will make sure that the relevant authority or organization treats your personal information confidentially.

    Can I report anonymously?

    It is possible to report vulnerabilities anonymously; you do not have to supply contact information when you report a vulnerability. Please be aware that when you report anonymously, we cannot contact you about the credits or your potential reward.

    International Law

    We would like to point out that this responsible disclosure policy is governed by Dutch law. If you are located in a different country, keep the applicable local law in mind, as other countries may have different laws regarding responsible disclosure. This could mean that you will be subject to local legal recourse or may be subject to agencies enforcing such different local law, even if NN Group does not seek legal recourse or file a report at a law enforcement agency.

    Dutch Law

    If you discover a vulnerability and investigate it, you might perform actions that are punishable by law. If you abide by the rules of our responsible disclosure policy for reporting the vulnerabilities in our systems, we will not report your offence to the authorities and will not submit a claim.

    It is important for you to know, however, that the public prosecutor’s office (Openbaar Ministerie) – not NN Group – will decide whether or not you will be prosecuted, regardless of whether NN Group files a report to the Dutch authorities. NN Group neither represents nor guarantees that you will not be prosecuted if you commit a criminal offence when investigating a vulnerability.

    The National Cyber Security Centre of the Ministry of Security and Justice in the Netherlands has created guidelines for reporting weaknesses in IT systems. Our rules are based on these guidelines.

    Link