Inscene Company BV is committed to the security of Networkapp. As part of this, we encourage security researchers to put our security to the test. The details of this vulnerability reporting program are listed below. If you are not a security reseracher and would like to know more about security at Networkapp, you can view our security statement or contact us at info@networkapp.com so we can provide you with relevant information.
Scope
Included in the scope of the vulnerability program are:
- Networkapp (on iOS and Android)
- app.networkapp.com
- Networkapp API
- Networkapp dashboard
- Networkapp website
Not in scope:
- The support/chat module in the website and dashboard
Report a vulnerability
If you believe you discovered a vulnerability please contact us as security@networkapp.com
- Include as many details as possible and step by step plan to reproduce
- If you include screenshots of videos, make sure they are not publicly viewable
- If you are interested in listing in our hall of fame, please include your name and 1 link to be listed
- Networkapp will acknowledge your report within 3 days
- After reporting, you will stick to the disclosure guidelines as listed in the next section
- Networkapp will inform you about the validity and status of your report in a timely fashion
- The public acknowledgement will be published at the time of fix
Program Rules
- Take explicit care not to interact with users and data that you did not enter yourself
- Do not make attempts to disrupt operations (e.g. bruteforce, (D)DoS or other forms of high volume requests)
- Public acknowledgement will only be given to the first reporter of any issue
- Do not perform automated security scans
- Follow our disclosure guidelines as listed in the next section
Disclosure
- You will not disclose the vulnerability until we acknowledged that the issue either has been fixed or not regarded as a valid issue.
- If you plan to disclose the vulnerability, you will notify us in advance so we can work out a timeline together.
Reward
As part of the vulnerability program we will publicly thank the first reporter of a vulnerability on our security hall of fame. Provided that reports followed the guidelines as stated above.
View our security hall of fame
Explicitly excluded from any rewards are reports regarding:
- Lack of DNSSEC
- Missing recommended HTTP security headers
- Clickjacking
- Missing CSRF on forms that do not require an active user session
- Brute force, (D)DoS and rate-limiting related findings
- outdated library/software versions without proof of an actual exploit
Contact our security team at security@networkapp.com