Vulnerability Disclosure Program

Program Overview

Thank you for helping us uphold the highest standards of security.

We continuously work to protect our systems and users, but we understand that no system is flawless. We appreciate responsible disclosure and the collaboration of security researchers worldwide who help us identify and address potential vulnerabilities, strengthening Narvar's overall security posture.

Reporting Security Vulnerabilities

If you have discovered a potential security vulnerability, we encourage you to report it to us promptly. We take all reports seriously and will investigate and address any valid findings.

Program Scope

🎯 Targets In Scope

corp.narvar.com
*.narvar.com
Narvar Web Applications
Narvar APIs
Narvar Infrastructure and Cloud Services

In-Scope Vulnerability Examples

Our vulnerability disclosure program covers security vulnerabilities found on the Narvar platform, including but not limited to:

Remote Code Execution
Significant Authentication Bypass
Significant Authorization Bypass
Cross Instance Privilege Escalation
Server Side Request Forgery (SSRF)
Insecure Direct Object Reference (IDOR)
Injection (SQL, NoSQL, LDAP, etc.)
Cross-Site Scripting (XSS) (excluding self-XSS)
Cross-Site Request Forgery (CSRF) on critical actions
Insecure/Open Redirect (which allows stealing secrets/tokens)
(Sub)domain hijacking or DNS Hijacking
Findings that reveal valid and bulk sensitive data of our customers and staff

🚫 Targets Out of Scope

All sandbox and staging environments
All external services/software not managed or controlled by Narvar
Third-party software or services
Social engineering attacks
Physical security issues

Out of Scope Vulnerability Examples

Missing HTTP security headers (e.g., X-Frame-Options, X-XSS-Protection, Opener Policies)
SSL/TLS issues (e.g., BEAST, BREACH, weak/insecure cipher suites)
Descriptive error messages (e.g., stack traces, application or server errors)
Spamming (e.g., SMS/Email Bombing)
HTTP 404 codes/pages or other HTTP non-200 codes/pages
Fingerprinting/banner disclosure on public services
MITM attacks – traffic interception-based attacks are out of scope
Disclosure of known public files or directories (e.g., robots.txt, readme.txt)
CSRF on forms available to anonymous users (e.g., the contact form)
Login-Logout cross-site request forgery
Presence of application or browser 'autocomplete' or 'save password' functionality
Lack of Secure and HTTPOnly cookie flags
OPTIONS/TRACE HTTP method enabled
HTTPS Mixed Content Scripts
Vulnerabilities that require installation of software on the victim's device
(Distributed) Denial of Service attacks
Vulnerabilities requiring physical device access or root/jailbroken devices
SSL Pinning bypass and bypassing root/jailbroken detection
Any language, grammar, technical inaccuracy, or UI/UX issues
Expired domains, SSL/TLS certificates, or leakage via Certificate Transparency Logs
Unclaimed social media accounts
Reports of keys/tokens in JS without proven exploitability
Use of known-vulnerable libraries or frameworks
Vulnerabilities affecting outdated/unpatched browsers
Subdomain takeover issues without valid proof of concept
Known CVE vulnerabilities without proof of exploitability
Bugs already classified as ineligible
Rate limiting or IP-based rate limiting (unless it implies a severe threat)
Social Engineering / Phishing attacks

Response Timeline

⏰ Our Commitment

Initial Response: Within 24 hours of report submission
Validation: Within 3-5 business days
Resolution: Based on severity and complexity
Updates: Regular communication throughout the process

Guidelines and Terms

Program Guidelines

To ensure a successful vulnerability disclosure program, please adhere to the following guidelines:

Do not violate user privacy, destroy data, or disrupt Narvar services
Do not disclose or share any reported vulnerabilities before resolution
Only target systems and assets within the defined scope
Provide clear and detailed reports, including steps to reproduce the vulnerability
Respect user privacy and confidentiality
Do not perform any attack that could harm the reliability, integrity, and capacity of our services. DDoS / spam attacks are not allowed

Eligibility and Participation

All researchers must agree to Narvar terms and conditions for participating in the Program
Narvar employees, contractors, and their families are not eligible for rewards
Only the first report of a given issue that Narvar had not yet identified is eligible
If the issue reported is already identified by Narvar and is in the process of resolving, then such issue shall not be eligible for reward
Eligibility for rewards and determination of the recipients and amount of reward is left up to the discretion of Narvar
If a researcher inadvertently accesses proprietary customer, employee, or business related information during testing, the information will be contractually restricted from being used, disclosed, stored, or recorded in any way
Inadvertent access of the data must be declared within your submission

Legal Considerations

While we appreciate your participation, it is essential to respect and comply with all applicable laws and regulations. We will not take any legal action against security researchers who act responsibly and in good faith during their participation in the vulnerability disclosure program.

However, any unauthorized actions or attempts to exploit vulnerabilities beyond the defined scope will be handled according to the law.

Note: Submissions are only eligible for validation when submitted through our official vulnerability disclosure platform. Any submissions via email or alternative communication sources will not be considered.

VDP Program Clarification: This is a Vulnerability Disclosure Program (VDP) focused on responsible security research. While we do not offer monetary rewards, we recognize and appreciate security researchers through our Hall of Fame program. Contributors who help improve our security posture will be acknowledged for their valuable contributions to our security community.