Responsible Disclosure Policy

Narmi’s Responsible Disclosure Policy

We take the security of our systems seriously, and we value the security community. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

Guidelines

We require that all researchers:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
  • Perform research only within the scope set out below;
  • Use the identified communication channels to report vulnerability information to us; and
  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and Narmi until we’ve had 90 days to resolve the issue.

If you follow these guidelines when reporting an issue to us, we commit to:

  • Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission);
  • Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
  • Not pursue or support any legal action related to your research as long as you:
    • Do not cause harm to Narmi, our customers, or others;
    • Do not initiate a fraudulent financial transaction;
    • Do not store, share, compromise or destroy Narmi or customer data;

Scope

The following services are in scope:

  • narmi.com and subdomains
  • narmitech.com and subdomains
  • Narmi hosted subdomains of our customers

Out of scope

Any services hosted by third party providers and services are excluded from scope. These services include:

  • Twilio
  • Sentry
  • Amazon Web Services

As well, certain vulnerabilities are considered out of scope:

  • Host Headers
  • Login/logout CSRF
  • Vulnerabilities which require a jailbroken mobile device

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:

  • Findings from physical testing such as office access (e.g. open doors, tailgating)
  • Findings derived primarily from social engineering (e.g. phishing, vishing)
  • Findings from applications or systems not listed in the ‘Scope’ section
  • UI and UX bugs and spelling mistakes
  • Network level Denial of Service (DoS/DDoS) vulnerabilities

Things we do not want to receive:

  • Personally identifiable information (PII)
  • Credit card holder data

How to report a security vulnerability?

If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing security@narmi.com. Please include the following details with your report:

  • Description of the location and potential impact of the vulnerability;
  • A detailed description of the steps required to reproduce the vulnerability (proof of concept scripts, screenshots, and compressed screen captures are all helpful to us); and
  • Your name/handle and a link for recognition in our Hall of Fame.

If you’d like to encrypt the information, please use our public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFk3ZeEBEAD3j9+oeO8MvipJQaDUzmN3862/8jdQp7nwJvDfcNQnlSZxXjOc
VCaFFZb/A2Ynq24ZSdGd1v6w4penA3kFdrIcYYdE5f4litjNwQNP8N4gISRgXVdH
Lii4yr5FNfqGnBZMr5F9qDohuuhpgjJRdJF8HbeDus5jD3a8ReMqnfZ/3Z6Ud2tB
XIq5bQul5OUsbAYn/K1C6zKhJkT4E6qbLah6srKhoaCKjY0KEYHetbV0mlAQJJPj
QCE1p+WEWqomn523IEokTacQSqV+z/skVZCLSyfPUj/d5yeH1jDI3qh+Rk4V0v3I
wdX+UwVffscWGQ/EJgdvDmxJgG9QSmX6geNtc3PUOYH92o8+rGmxKFi6c7R+Yuo6
VwhtA9MG0sfgswOhaYuU2YkFLGvnrRK4Hgg2ATziI/qoZmYe45THIL+E+D5nII/1
YAXSTWtM/9siXnx1OJ6pCljEDS6VhiQ0asKffCKBQnA5HOZj/F9GdfZGmrIHyV/q
XG7+/Rv9y8Mk6sUm1FzqfPFclTD2krjQDrMhSKw7ddRj5G4eUbVbDRIzojQphFXP
2IYmFaDCYye5AGrAjAjWDQTTX+jC9VEqKR5eCjej6PqvbBpSaawBQQ7uEB43sYHC
1BW9dQsEDRqZkORBdQyDOdSe2rDUkHzL0j+GyEKOQca1vgqTgw3o5q++lQARAQAB
tCdOYXJtaSBTZWN1cml0eSA8c2VjdXJpdHlAbmFybWl0ZWNoLmNvbT6JAj0EEwEK
ACcFAlk3ZeECGwMFCQlmAYAFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQSE3y
/cy6xvQIHhAAyvupf16rJ+/pqpxT88AlMFOZPqQawDciFzZNZHKdlXnJm3wY4M9x
65kdSpcoDR89lErpNAg4oSDj2+6jmDtudQUt4E5tJ4LiEj9tI9CGF/vfMWp6htFc
H0BeAdnoA9xmH5ZFwlGPvPEZH16TPlUAlTaZeUKWc28tVTwwa0IZwTAYTMG7d3YE
2tkxTYfu7y+SrGZFITha+fy6MMRl3iJNbLuDt/O65fiwW1UNRHw/S/cjMPqRRdOP
J0TpYalUru+SVKFQAYP40PGA3TLFwF1bsW86T4MgGDRgqWcaV0j/uF7H7o7ZjlSl
4zlbE9vq6m631uStMNePgn4qKJJBOxL/FFn0r0SJkowTN6/bVJYdqkGY24N72yQ5
9kkynj9sF7T3T1m4LV4r27S9QeD/BO90BvIIHl9sRkNEN0Z6gmWKgCOG52xdBBb9
Aiuxhe6nZK2lWoIh7payRmQ3hg4+f9GH2JC0YsqyJgmIu0DIk+KM2IWRvchypejl
wugfE12vofB/N0eU4s12oIfIXAUj2zekQb3POj0PZ7OcoXdfIeTYBDqUTUWo2UdG
5zi7Q3uURSuhNzSvqnRNizpmd4G4d38Lxa1I/VlMXLlNOo+j+4FyRyvz1ei3+d+D
yJ66t8eqoKw9AhNgZKM9DbJ5M4ziI8qI3MA0zFQzZsWtCXriJRQW40O5Ag0EWTdl
4QEQAK7V+zmFTrP1W7QLDtXXZp2f1UlBXvc2U8IjwC+c3y4eOwnUqaxWjHbBzI0Z
gjuoeW65j6/36x/nVvnuxynrYFx8FXOVbL1qPnosKwcNDorPMdEiHlU753e3ES2R
M/owP+bDDZodEmakqLi2g8r/mSkEFK07gxhGWn7OIXLyphDWSDI0j9eL4+WdWrnm
QMzRyeWhLXSczCPXyxngYzO+zEXpEBZPV6Xcf56MigV28ZTAjRwG9lytW8GzjYEK
3kxpmZtPOXr8lGTGNLSRg25qBLJMdvYe3OZ0wjmTsMesTNQ/tVV1lf7iHE5KPBeu
3T2JP8viLb4tGlKNSV8Zg7BheavVBDMZoEapT6J//Y1Y4YCBijJg1/sK4ZGGDBLn
oeD0TDTJgNkeBqPhXMSm7IUcocfanZJQs+BP74ZK8RS5KyHlZBFYfHL1uYqz/fA9
jFyxFk2+IOhw7HO8Z5TtdWnB/mab5Ia2wfCD0rD2uKBQg6uqYZvISW/WJgR5a/0L
WmU0KwsNHxlTETO6NEO9vqiPOYLbcS6cLmHkPPvQ0XXR/LqdMoDfVqjrrY3GBtZ2
aYX/EB8g1SjEWNJtAuZE7MbEWEXFFh0NTc5/qwJimpysW72BXLfuWJWOqveuUHpv
jf3m8vGdq+WmyxAuIrfr4esMCHkjSaNP1ARCC4sr55XOHQrxABEBAAGJAiUEGAEK
AA8FAlk3ZeECGwwFCQlmAYAACgkQSE3y/cy6xvQlGhAA3u+znLW1+tlxg0mDstRB
Kca6uWnpez+9OuURC81jWKUktxbkcEfyqbGlaR1wxgBgBWtOpS3c82+W8rR+EIQe
rSi62DFN8ldZNpvkcLgPVHxwzN0f/cxQHAg2vltoKrHpqtWTU2rmcBZb1x3DDpcr
2suLJ3AOlf1mQkvmQK0isDs2KfyC1/Y8aMjvKBVHBjcSR+3IPTBh+uj+TxCiurhl
YCzBKrDkl/Z+PXZ5KZjhnbrcaL7GnrsscHMcosIq8zPLlOKC+DGC2MRKoOEdxcVA
PgHNWV3KGbey4Yc3jEEWvoAf4Ttdr0Bmz3MgSYkErEK8re1De7kaqpr1BFmxVlYW
2RC0Nzs4nFrCUPGdG2vsVq9YiphIdpNQZY/+jOUHA70rySPaRilYpETaQxavcwD1
dpHu4THBr0oUpaqygw2a4RtxswtR4Zk4qRenEocEHau5GPBFgadE/cFxkC1CacXD
TZo2qDClvKemh+j09lxlLQLS5lH+g/OKnEzIKhBd+eHKLbGhkReEcgM90oYlDDOr
ygZdAqOR9L48ZXtlIXdFKJcowFX7zIVlliLxoZN78neMIBffnDr5qizkVTqU76oK
DEs8X1GIlroOAVTZlz6DRgycNSJLcZ2WO0ETBn2Mz2pdzXqtTLJGHenbZDA+Jxw4
dDUjVGeYQYum1sDLv6T3JvU=
=CVhR
-----END PGP PUBLIC KEY BLOCK-----