For whom
For whom
Companies Accountancy firms
Employee Self Service
Mobile app Login
Online demo
Curious what Nmbrs can do for your HR and payroll administration?
Book a demo
Header-demo
Features
HR features
Expense declarations Digital signing HR workflows Leave registration Performance More HR features »
Payroll features
Direct payment Interactive payslip Payroll workflow Run check Year transition More payroll features »
Product
Product tour Integrations Mobile app Nmbrs Marketplace
Feature list
Get an overview of all Nmbrs features, plus supported industries and reports
Download
Pricing
Netherlands
Companies Accountancy firms
Sweden
Companies Accountancy firms
Online demo
Curious what Nmbrs can do for your HR and payroll administration?
Book a demo
Header-demo
Learn
Reading material
Resources Blog
Agenda
Events
New
Working less to achieve more: Why we think the 4-day workweek will work
Read blog
learning
About Nmbrs
About us
Who we are Careers
Get in touch
Contact us Support
We're hiring
Find the job opening that’s suited for you
Openings
Header-hiring
Buy now
Menu
Close
For whom
For whom
Companies Accountancy firms
Employee Self Service
Mobile app Login
Features
HR features
Expense declarations Digital signing HR workflows Leave registration Performance More HR features »
Payroll features
Direct payment Interactive payslip Payroll workflow Run check Year transition More payroll features »
Product
Product tour Integrations Mobile app Nmbrs Marketplace
Pricing
Netherlands
Companies Accountancy firms
Sweden
Companies Accountancy firms
Learn
Reading material
Resources Blog
Agenda
Events
About Nmbrs
About us
Who we are Careers
Get in touch
Contact us Support
Buy now
bookmark
Legal stuff

Responsible disclosure policy

At Nmbrs, we regard the security of our platform, network and products, as the highest priority. Therefore we constantly monitor our business network, and improve security on a daily basis. Despite our constant effort and care to keep our security off the notch, a weakness can be found. This can both be the case during the normal use of Nmbrs products, or by an explicit intention to find such a vulnerability. In all cases, we would like to hear from you, so we can improve based on your findings.

 

Scope of this policy

The scope of this policy is to inform everybody who found a weak spot about next steps. It is explicitly not an invitation to actively scan our infrastructure for weak spots. However, if you do find a vulnerability, we want you to know how we will handle that, what we expect from you, and what you can expect from us.

What do we expect from you?

If you have found a weakness in our application, please send us an e-mail to security-alert@nmbrs.com, encrypted with our PGP key.

For a clear description, please include the information below:
  1. What domain is this notification referring to?
  2. Please describe the steps you have taken
  3. What objects have you used? For example: filters, text fields, etc.
  4. What is the URL?
  5. Can you include a screenshot of the result?
  6. What browser(s) and what version(s) did you spot the weakness in?
  7. What operating system (and version) have you used?
  8. Can you include the application, script and/or code used?

If you would like us to include you in the follow-up, please include your contact details. We can understand if you wish to remain anonymous. 

  • Don’t abuse the vulnerability by for example downloading, editing, or deleting data.
  • Do not share the finding with anybody until we have investigated and solved potential issues. In our communication plan, we will decide how we are going to communicate about the vulnerability. If you wish, we can share this communication plan with you.
  • Don’t use any attacks on physical security, of hacking or social engineering tools, for example vulnerability scanners.

 

What can you expect from us?

  • After sharing your findings with us, we will confirm the received message and start investigating with high priority. Within 2 business days, we will respond to you with our evaluation of your and our findings, and with an expected resolution date.
  • Your report will be handled confidentially. No personal information will be shared with third parties without your written consent. The only exception is if we are demanded by authorities (such as the police) to share this information.
  • If you wish, we will keep you informed about the progress of the solution for the reported issue.
  • If you follow the rules in this policy, we will not take legal actions against you.
Questions?

Feel free to reach out to our compliance officer

Our compliance team is happy to help and will get back at you within 3 workdays.

Get in touch