Security Vulnerability Disclosure Policy (VDP)

of X-Net Services GmbH & X-Net Technologies GmbH (Security Vulnerability Disclosure Policy, compliant with ISO 29147:2020)

The security of our products and services is our top priority. Every report helps to make our systems more secure. This policy describes how you can report vulnerabilities in our systems or products in a secure, responsible, and legally compliant manner.

What do we consider a vulnerability?

  • Any issues that affect the availability of our services, especially if these issues are the result of hostile actions or attacks.

  • Any threat, destruction, manipulation, or unauthorised modification of data hosted by X-Net Services GmbH or X-Net Technologies GmbH, as well as the integrity of this data.

  • Any compromise of data considered confidential that belongs to X-Net Services GmbH or X-Net Technologies GmbH, so that information which is subject to access restrictions becomes accessible, is disclosed, stolen, or removed without authorisation.

Scope:

  • www.x-net.at and all associated subdomains, as well as all websites owned and operated by X-Net Services GmbH and X-Net Technologies GmbH.

  • Products and services of X-Net Services GmbH and X-Net Technologies GmbH (e.g., Mox Linux Gateway, Sec³, custom software).

  • Other systems and infrastructures owned or controlled by X-Net Services GmbH and X-Net Technologies GmbH.

Reporting a vulnerability:

  • Please report vulnerabilities exclusively to: security@x-net.at

  • To help us fix the vulnerability, please include the following information in your report:

    • Specification of the affected system, product, or service and version where the vulnerability occured

    • Detailed instructions on how to reproduce the vulnerability (preferably a step-by-step list)

    • If possible: Sample code (“proof-of-concept code”) to demonstrate the problem

    • If applicable: specify whether you are logged in or out as a user when the problem occurs

    • For XSS or vulnerabilities that require a specific browser or plugin to exploit, please specify the browser and version you are using. The exact version of each software used is helpful.

    • If possible: OWASP vulnerability category (using OWASP Top 10 for 2017) or CWE ID (using CWE By Research Concepts)

    • CVE, if assigned (using the NIST CVE database)

    • Date and time when you discovered the vulnerability

    • Any other additional information needed to investigate or reproduce the issue

    • Contact information and preferred means of communication through which we should contact you

  • We strive for open and cooperative communication with all reporters. All communication is confidential.

We ask that you ...

  • Do not disclose vulnerabilities before we have jointly assessed and fixed them

  • Act responsibly and in accordance with applicable law

  • Do not use automated scans without prior written consent

  • Avoid activities that could lead to failures or impairments of our services

  • Refrain from unauthorised access to personal data or systems

Even if you are acting within the scope of security research, your activities must comply with this policy and applicable law. As long as you act in good faith and within the scope of this policy, the responsible parties at X-Net Services GmbH and X-Net Technologies GmbH will be happy to work with you. Otherwise, we will unfortunately be forced to take legal action against you.

What happens when vulnerabilities are reported?

  • We…

    • carefully review each report we receive.

    • attempt to reproduce the problem and assign the bug a priority level adequately to its severity.

    • decide whether it is actually a security issue.

    • thus evaluate the problem in terms of reproducibility, criticality, affected systems/products, and exploitability.

  • We will respond to your report within 5 business days and work with you to find a timely solution, including:

    • Scheduled bug fix dates or interim solutions (e.g., workarounds).

    • Opportunity to provide feedback on queries or tests.

  • The bugfix …

    • is reviewed in accordance with the state of the art

    • is rolled out to the affected system, product, or service.

How are vulnerabilities and bug fixes disclosed?

In the spirit of responsible disclosure, we publish information about security-related vulnerabilities within 90 calendar days of receipt, unless:

  • The finder requests a different schedule and we agree on another appropriate course of action.

  • The vulnerability is fixed within this period and published immediately.

Publication takes place via:

  • A technical advisory on our website or via appropriate communication channels to reach affected customers directly

  • If necessary, a CVE assignment (if registered)

  • Information on affected versions, solutions, etc.

Upon request, we will name you as the discoverer once the vulnerability has been fixed and published.

Disclaimer

This policy does not constitute approval for security-related activities outside the scope defined herein. X-Net Services GmbH and X-Net Technologies GmbH reserve the right to change or modify this policy at any time.