Responsible Disclosure of Vulnerabilities

This policy aims to define the methodology for cooperation between the infosec community and NOS Comunicações S.A. to facilitate the identification and mitigation of the security vulnerabilities.

NOS Comunicações S.A. provides an appropriate channel for ethical and responsible disclosure of identified security vulnerabilities. The scope of the hereby defined policy is only applicable to vulnerabilities on platforms and servers belonging to NOS Comunicações S.A.

This Responsible Vulnerability Disclosure policy does not in any way constitute a public bug bounty program.

Methodology for Responsible Disclosure of Vulnerabilities:

If you identify a vulnerability which is covered by the scope defined within this policy, please contact the team at NOS Comunicações S.A. via the e-mail address: sec.rvd@nos.pt.

To guarantee confidentiality, we highly recommend that the e-mail be encrypted using the following PGP key: link


Scope of Activities:

1. Limited to platforms operated by NOS Comunicações S.A. Customer platforms are excluded.
2. The present policy does not constitute and does not represent a bug bounty program


What we ask of the community:

1. Do not use the information obtained in an abusive manner that may compromise the availability and confidentiality of the information and the integrity of the platform
2. Do not disclose identified vulnerabilities until they have been corrected and express permission has been given by NOS Comunicações S.A. to do so
3. Ensure the privacy of the users
4. Ensure a cooperative and responsible behavior in compliance with the law


Activities Out of Scope:

1. Exploitation of vulnerabilities or the use techniques that may lead to degradation or denial of service (DoS/DDoS)
2. Use of means and resources that are inadequate or disproportionate for proving identified vulnerabilities
3. The use of physical security tests, use social engineering techniques, human resource exploitation, spam or phishing as well as extend testing to third-party applications even if they are being used by NOS Comunicações S.A. platforms
4. Use of identified vulnerabilities or errors to access data beyond what is strictly necessary for verification of vulnerabilities
5. Erasure or modification of data
6. Issues related to general security recommendations:
   1. Errors related to common HTTP codes
   2. Spoofing of content or host header injection
   3. Information disclosure through publicly accessible service banners
   4. Publicly known files or directories with non-sensitive information (ex.: robots.txt)
   5. Non-existence of HTTP security headers (ex.: Strict-Transport-Security;X-Frame-Options;X-XSS-Protezction;X-Content-Type-Options;Content-Security-Policy)
   6. Configurações SSL (SSL forward secrecy not enabled;Weak ou insecure cipher suites)
   7. SSL Configurations (SSL forward secrecy not enabled;Weak ou insecure cipher suites)
   8. SPF, DKIM and DMARC configurations
   9. Deprecated software versions without known vulnerabilities

What you can expect from NOS Comunicações S.A.:

1. A response within a maximum of seven days with an evaluation of the reported vulnerability and the estimated timeframe for correction
2. By adhering to the rules and procedures described in this policy, no criminal prosecution will be made for facts related to the discovery of the reported vulnerability
3. We will not provide information to third parties without authorization, unless required by legal obligation
4. Recognition of the name/handle of the person that identified the vulnerability and the summary identification through the hall of fame;
5. In the context of the Responsible Disclosure Policy and within the applicable law, your personal data will be erased immediately after the reason for which they were processed. Any question regarding treatment or access to personal data should be addressed to dpo.privacidade@nos.pt