top of page

CONTACT US

GET IN TOUCH. WE CARE.

NORTHEAST

GENERAL INQUIRIES

Get in touch with NEC Group with any general questions by clicking the button below. We look forward to speaking with you.

INFO@NECGROUP.COM

781-585-0040

Vulnerability Disclosure Policy

We know that any system and infrastructure can be(come) vulnerable. We encourage everyone to report security vulnerabilities.
This protects us, our customers, partners and stakeholders and makes the world a little more secure.

 

Safe Harbor

We will not take any legal action against activities complying with this policy. If legal actions are initiated by third parties due to activities compliant with this policy, we will take actions to make it known to responsible and/or legal authorities.

 

Our promise

We will review and respond to your report promptly and conduct an open dialog with you. We will provide a timeline for when we expect the vulnerability to be fixed. 

 

Your promise

You promise to use discovered vulnerabilities for no other purpose than reporting them to us. Vulnerabilities are reported exclusively and privately, promptly after detection. You promise to not take actions with the intention to harm us, our customers, partners, or any other stakeholder.

​

Scope

The scope of this vulnerability disclosure policy (VDP) includes:

​

The following activities are prohibited:

  • Denial of service (incl resource-exhaustion, automated scanners with high loads, deleting data, fuzzing, etc)

  • Spamming

  • Social engineering (including phishing)

  • Physical access (incl entering or surveilling properties)

  • Attacking non-internet facing systems (internal networks, private IPs, workstations, etc)

  • Installing persistent backdoors

 

Issues without direct security impact, lack of hardening, or defense-in-depth measures are out of the scope of this VDP. This includes (but is not limited to):

  • Presence/absence of DKIM/SPF/DMARC records

  • Missing http headers (such as CSP, Permissions-Policy, etc)

  • Clickjacking

  • Missing http cookie flags

  • Information disclosure of non-sensitive contents (like robots.txt, sitemap.xml, files, directories, etc)

  • Absence of best practices

  • Self-Attacks

  • CSRF with low or no impact

  • Open ports

  • Attacks requiring pre-conditions that would be security issues per se (e.g. usage of outdated browsers, vulnerable browser plugins, weak user passwords)

  • Lookalike domains

  • Homograph attacks

  • Broken links

  • Metadata in assets (like images, PDFs, etc)

  • Theoretical attacks with no realistic exploit scenario

  • Weak SSL/TLS settings

  • Software that is out of date without proven security impact

  • Missing multi-factor authentication

  • Recently patched vulnerabilities in third-party software within two weeks after publication

 

Contact

Please contact us via email at services@necgroup.com

 

Thank You to all who report security vulnerabilities to us.

​

© 2025 by NEC Group.

NEC_GROUP_LLC-01.webp
  • LinkedIn
  • Facebook
  • Instagram
bottom of page