Vulnerabilities

How we handle vulnerabilities

Nextway’s vulnerability management procedure is designed to proactively identify, assess, and mitigate security vulnerabilities.

In response to identified vulnerabilities or security incidents, Nextway follows a well-defined and SoC2 audited process.

If you, as a customer or partner, identify a potential vulnerability, please share the details with Nextway by sending an email to security@nextway.software

It is a prerequisite that full details of the suspected vulnerability are documented in way that Nextway can validate and reproduce the issue.

When reporting an incident

Our commitment when handling suspected vulnerabilities is to use reasonable efforts to:

• Respond in a timely manner, acknowledging receipt of your vulnerability report
• Provide an estimated time frame for addressing the reported vulnerability
• Notify you when the vulnerability has been fixed

In return we ask you to comply with the following procedures.

Please report any potential security vulnerabilities individually to Nextway via email at security@nextway.software

Before submitting your security vulnerability findings, we require you to validate that the security vulnerability finding is not a false positive. This will require a security resource on your end to review and validate findings (especially for automated scanner report output).

With each finding, please include the following information:

• Description of the vulnerability: Include information such as targeted functionality, vulnerability that is identified and affected endpoints
• Replication Steps to reproduce the security vulnerability finding
• Proof of Concept: Provide screenshots and/or HTTP requests & responses and/or Sample of vulnerable code, clearly demonstrating that the vulnerability is exploitable
• Possible impact of the security vulnerability finding: Include information such as what can an attacker achieve if the vulnerability is exploited, who can launch the attack (remote/local user, internal/external user, authenticated/unauthenticated user, viewer/editor/admin etc...) and how easy is it for an attacker to discover and exploit the vulnerability.

Please submit reports in English.