Nulab Inc./Nulab Inc. Vulnerability Disclosure Program

Introduction

Online Collaboration Tools for Modern Teams.

Software made for collaboration and powered by the cloud.

In Scope

You can only submit a report targeted towards one of the following scopes:

• Web Service: Nulab Apps (apps.nulab.com)
• Web Service: Backlog (*.backlog.com)
• Web Service: Backlog (*.backlog.jp)
• Web Service: Backlog (*.backlogtool.com)
• Web Service: Cacoo (cacoo.com)
• iOS: Backlog (https://apps.apple.com/app/id863872037)
• Android: Backlog (https://play.google.com/store/apps/details?id=backlog.android)
• Web Service: Nulab Website (nulab.com)
• Other: Other Services presented by Nulab Inc.

Guideline

Introduction

We welcome feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, what you can expect from us.

In Scope

This policy applies to any digital assets owned, operated, or maintained by us.

Our Commitments

When working with us, according to this policy, you can expect us to:

• Respond to your report promptly, and work with you to understand and validate your report.
• Strive to keep you informed about the progress of a vulnerability as it is processed.
• Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints.
• Extend Safe Harbor for your vulnerability research that is related to this policy.

Our Expectations

In participating in our vulnerability disclosure program in good faith, we ask that you:

• Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail.
• Respect privacy & make a good faith effort not to access, process or destroy personal data.
• Be respectful when interacting with our team, and our team will do the same.
• Exercise caution when testing to avoid negative impact to customers and the services they depend on.
• Stop whenever unsure. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.
• Do not research outside of that outlined in "In Scope"
• Do not publicly disclose a Vulnerability and a Research Result without our explicit review and consent.
• Do not leave any system in a more vulnerable state than you found it.
• Do not submit a report by automated tools without additional analysis as to how they are an issue
• Do not brute force credentials or guess credentials to gain access to systems.
• Do not engage in any form of social engineering of our employees, customers, or partners.
• Do not attempt to extract, download, or otherwise exfiltrate data that may have PII or other sensitive data other than your own.
• Do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service.
• Do not interact with accounts you do not own or without explicit permission from the account holder.
• Do not do anything that is prohibited by the terms of use below:
  • Nulab Terms of Service (https://nulab.com/terms/)
  • Nulab API Terms of Use (https://nulab.com/terms/api/)
  • IssueHunt terms of use (https://issuehunt.jp/terms)

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will make it known that your actions were conducted in compliance with this policy. We reserve all legal rights in the event of noncompliance with this policy.

By making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission. By making a Submission, you give us the right to use your Submission for any purpose.

Please check this site regularly as we routinely update this policy and eligibility, which are effective upon posting.

We also reserve the right to modify the terms and conditions of this program, and your participation in the Program constitutes acceptance of all terms.