Simple. Serverless. Secure. uniFLOW Online
Cloud-based Secure Printing, Scanning and Accounting uniFLOW Online
Secure Cloud Printing and Scanning for Business uniFLOW Online
Control Access. Control Cost. uniFLOW Online Express

Vulnerability Disclosure Policy

At NT-ware, we view the security of our IT systems seriously and value the security community. Disclosure of security weaknesses helps us to safeguard the security and privacy of our users by acting as a trusted partner. This policy underlines the requirements and mechanisms of NT-ware’s IT Systems and Product Vulnerability Disclosure. It enables researchers to report security vulnerabilities safely and ethically to the NT-ware IT Operations team.

What is in scope?

NT-ware invites security researchers to help strengthen NT-ware and our product offering by proactively reporting security vulnerabilities and weaknesses. NT-ware being part of the Canon Group will work in combination with the Canon PSIRT team an all submissions.

Domains in scope

The table below lists all domains included as part of the NT-ware Vulnerability Disclosure Policy.

*.nt-ware.com*nt-ware.net
*.uniflowonline.com*.uniflow.global
*.buildit-global.com*uniflow-demo.com
*.ulmtracker.com*.syshub.global

Products in scope

  • uniFLOW server
  • uniFLOW Online
  • uniFLOW sysHUB
  • uniFLOW Embedded Applets
  • uniFLOW Release Station
  • microMIND V2

Reporting a vulnerability

You can report weaknesses to us by email: product-security@nt-ware.com stating concisely what weakness(es) you have found with as much detail as possible together with any evidence you might have. Be aware that NT-ware is part of the Canon Group and as such works closely with the Canon PSIRT team. Responses to submitted VDP’s may come from either organization as part of our triage and response process

Please include the following information in your email:

  • The type of vulnerability.
  • The step-by-step instructions as to how to reproduce the vulnerability.
  • The approach you undertook.
  • The entire URL.
  • Objects (as filters or entry fields) possibly involved.
  • Screen shots are highly appreciated.
  • Please provide your IP address. This will be confidential; NT-ware will use this information to track your testing activities and review the logs.

What is not acceptable?

  • Volumetric/ denial of service vulnerabilities i.e. simply overwhelming our service with a high volume of requests.
  • TLS configuration weaknesses e.g. "weak" cipher suite support, TLS1.0 support, sweet32 etc.
  • "Self" XSS.
  • Mixed Content Scripts on www.nt-ware.*
  • Insecure Cookies on www.nt-ware.*
  • CSRF and CLRF attacks where the resulting impact is minimal.
  • HTTP Host Header XSS without working proof-of-concept.
  • Incomplete/ missing SPF/ DMARC/ DKIM.
  • Social engineering attacks.
  • Security bugs in third-party websites that integrate with NT-ware websites.
  • Network data enumeration techniques e.g. banner grabbing, publicly available server diagnostic pages.
  • Reports indicating that our services do not fully align with "best practice."
  • Automated software scanners output.

What do we do with your report?

  • The Canon PSIRT team will review the reported vulnerability and collaborate with the NT-ware Security team to validate and categorize the findings.
  • The reporter can expect an acknowledgment of receipt from us within 3 business days after receiving the initial submission. Please be advised that we may not respond to every report.

Your privacy

We will only use your personal details when considering what action to take based on your report. We will not share your personal information with others without your express permission. Further information regarding our privacy policy can be found at the bottom of this page.

Reporting criteria

Potentially illegal actions

If you discover a weakness and investigate it, you should be aware that you might perform actions punishable by law. Provided you follow the rules and principles below when reporting weaknesses in our IT systems, NT-ware will not report your offense to the authorities and will not submit a claim.

However, you need to know that the public prosecutor's office – not NT-ware – may decide that you should be prosecuted, even if NT-ware has not reported your offense to the authorities i.e. NT-ware cannot guarantee that you will not be prosecuted if you commit a punishable offense when investigating a weakness.

The National Cyber Security Centre of the Ministry of Security and Justice Netherlands has created guidelines for reporting weaknesses in IT systems. NT-ware’s rules are based on these guidelines. (Home - National Cyber Security Centre)

General principles

Take responsibility and act with extreme caution. When investigating the matter, only use methods or techniques necessary to find or demonstrate weaknesses.

You must not:

  • Violate any law or regulations.
  • Access unnecessary, excessive or significant amounts of data.
  • Copy more than you need. If one record is sufficient, do not go any further.
  • Modify data in NT-ware's systems or services.
  • Use high-intensity invasive or destructive scanning tools to identify vulnerabilities.
  • Attempt or report any form of denial of service e.g. overwhelming a service with a high volume of requests.
  • Disrupt or alter NT-ware's services, systems or information.
  • Demand financial compensation in order to disclose any vulnerabilities.
  • Publicly disclose any resolved vulnerability report without prior written consent from NT-ware.
  • Use any weaknesses you detect for purposes other than your own research.
  • Use social engineering to gain access to a system.
  • Install any back doors – not even to demonstrate the vulnerability of a system - as they will weaken the system's security.
  • Use brute force techniques e.g. repeatedly entering passwords to gain access to systems.
  • Use Denial of Service (DoS) type of attack to gain access.

You must:

  • Securely delete all data retrieved during your research as soon as it's no longer needed or within one month of resolving the vulnerability - whichever occurs first or as otherwise required by data protection law.
  • Always comply with data protection rules and do not violate the privacy of NT-ware's users, staff, contractors, services or systems i.e. you must not share, redistribute or fail to properly secure data retrieved from the systems or services.
  • Only infiltrate a system if it is really necessary to do so.
  • Do not share access with others if you manage to infiltrate a system.

Frequently asked questions

Do you have a bug bounty program?

We do not conduct a bug bounty program. Accordingly, please acknowledge that there is no expectation of payment or compensation and that any future right to claim related to the submitted report is waived.

Am I allowed to publicize the results of my investigation?

Never publicize weaknesses in NT-ware IT systems and products or your research without consulting us first. Canon PSIRT and the NT-ware teams will work with you to ensure you are appropriately recognized in any public notifications for your efforts.

Can I report a weakness anonymously?

Yes you can. You do not have to disclose your name and contact details when you report a weakness. Please realize, however, that NT-ware will be unable to consult with you regarding follow-up actions or further collaboration.