Locker Security Vulnerability Reporting Policy
Last updated March 30, 2020
We at NordLocker strive to maximize the security of our infrastructure and customer’s data. Therefore, we created a file ("Locker") that is encrypted with the most advanced NordLocker zero-knowledge encryption technology and we welcome you to try to circumvent it. If you are able to crack the file and provide us with its contents as per terms of this Policy, you will be up for claiming a generous bounty.
Please note that your participation in this bounty hunt is voluntary and subject to the terms and conditions set forth in this Policy. By participating in the bounty hunt, submitting any results to us and/or applying for the reward, you acknowledge that you have read and agreed to this Policy.
You are expected, as always, to comply with all laws applicable to you, and not to disrupt or compromise any data beyond what this Policy permits.
Scope of accepted findings
We only accept findings related to circumventing the encryption technology in the Locker. Any other security vulnerabilities related to NordLocker, its website or its services are out of scope and will not let you claim the bounty.
You must follow the below principles when participating in the bounty hunt:
- Do not perform any testing that could degrade the quality of our services.
- Do not use your findings for any other purpose except for what is needed to participate in this bounty hunt.
- Do not disclose any findings or accessed content to any third parties.
- Do not attempt any physical testing such as office access or social engineering attacks.
- Claims for rewards or other compensation as a condition for providing information is not accepted and could be regarded as extortion - a criminal offence under the penal law.
Reporting the findings
You need to be the first to provide us with the contents of Locker to be able to claim the bounty. When providing us with your findings, please also include:
- a step-by-step guide that would allow us to reproduce the finding;
- if applicable, accompanying evidence, e.g. screenshots;
- if possible, a way to fix the issue;
- any other information that you think is relevant.
To receive the bounty, you must disclose the contents of Locker directly and exclusively to us. You also must be the first person to do that.
We reserve the right to change the reward amount at any time throughout the term of this bounty hunt at our sole discretion. The reward amount that is declared on our website upon the date of your submission of your findings is the amount that will apply to you.
Reward may be denied if there is reason to believe that there has been a violation of this Policy.
To receive the reward we will ask you to provide additional information for your identification. This information is necessary to transfer the reward money to you. All payments related to this bounty hunt are made in the U.S. Dollars via international bank/wire transfer.
Taxes on rewards given to you are your sole responsibility. Reward will be forfeited, if it remains unclaimed or undeliverable for a period of six (6) months counting from the date you receive our confirmation of winning the reward.
You must not publicly disclose any findings until after we had an opportunity to fix any vulnerabilities in our infrastructure. We ask you to give us at least a 90 day disclosure deadline. Reports that go against this principle will usually not qualify for this bounty hunt and may even get you a permanent ban. We reserve the right to bring deadlines forward or backward and to deny any request for public disclosure based on extreme circumstances.
By making a submission, you give us the right to use your provided disclosure-related information for any purpose.
You understand that your obligations under this Policy shall survive the termination of any other relationship between us.
This Policy is subject to change or cancellation by us at any time, without notice. As such, we may amend this Policy at any time. By continuing with your submission after such changes are posted, you accept those modifications.
Last updated: March 30, 2020