If you believe you found a vulnerability in one of our products or systems, we encourage you to reach out to us.
- The component affected (Nexthink product, nexthink.com website…);
- The class of the vulnerability identified;
- A non-destructive proof-of-concept of the vulnerability, or instructions on how to reproduce it.
Feel free to write your e-mail in English or French, whichever is best for you. If you wish to encrypt your e-mail, you can use the following PGP key.
- Do not exploit or take advantage of the vulnerability more than strictly necessary for us to be able to
- Do not disrupt the service or intentionally perform any change to a production system.
- Do not communicate to any third-party information about the vulnerability without our explicit consent. Similarly, do not share with anyone potential data that you might have accessed to demonstrate the impact of the vulnerability.
- Do securely delete all data retrieved as part of your vulnerability report as soon as it is no longer required.
- We will do our best to acknowledge your report in less than 72 hours.
- We will keep you up to date about the investigation we perform regarding the reported vulnerability.
- We will not pursue any legal action against you for reporting and demonstrating the vulnerability if you follow the guidelines above.
- We will handle your report as confidential and will not share it outside Nexthink unless we are legally required to do so.
Please note that we currently do not offer a paid bug bounty program.