Vulnerability Disclosure Policy

At Noralsy, we are committed to handling security issues in a coordinated, responsible, and constructive way, to ensure the highest level of protection for our customers, partners, staff, and all users of our online services.

A security vulnerability is a weakness in our systems, applications, or services that may compromise their security. This policy applies to any security vulnerabilities identified either by Noralsy employees or by external researchers or users.

Responsibility for this policy lies with Noralsy’s management team, which will review it at least annually. All staff members are required to adhere to this policy and receive regular training on security best practices.

Reporting a Vulnerability

If you have identified a vulnerability affecting any of our services or wish to report a security incident, please contact us at: vulnerability@noralsy.com.

  • To ensure confidential communication, our PGP key is available upon request.
  • When submitting your report, please include the following:
  • The website, IP address, or specific page where the vulnerability is located;
  • A brief description of the vulnerability type (e.g., “XSS vulnerability”);
  • Steps to reproduce the issue, ideally as benign, non-destructive proof of concept, to help us assess and resolve the issue efficiently.

What Happens After You Report a Vulnerability?

Once we receive your report, Noralsy will take the following steps:

  1. Prompt acknowledgment of your submission;
  2. Request for confidentiality during the resolution process;
  3. Thorough investigation of the vulnerability, in collaboration with you if necessary.
  4. Estimated timeframe for fixing the issue;
  5. Notification once the issue is resolved, allowing for retesting if needed;
  6. Public disclosure of the fix in our release notes, and possibly via social media.

Unless you prefer to remain anonymous, we will credit you for your contribution to improving our security.

Rules of Engagement

You must not:

  • Break any applicable laws or regulations;
  • Share details of the vulnerability except via the contact methods outlined in our security.txt;
  • Use high-impact or destructive tools that may degrade the performance or availability of Noralsy’s infrastructure;
  • Conduct physical security tests or social engineering targeting Noralsy staff or systems;
  • Attempt or report any kind of Denial-of-Service (DoS) attacks;
  • Submit reports related solely to TLS configuration issues (e.g., support for TLS 1.0 or “weak” ciphers);
  • Demand financial compensation before or after disclosing any vulnerabilities.

You must not disclose any identified vulnerabilities to third parties or the public before Noralsy confirms that the issue has been properly mitigated. This does not prevent you from notifying parties who are directly affected, as long as confidentiality is maintained until resolution.

You must also:

  • Always respect data protection laws and not violate the privacy of Noralsy’s users, employees, contractors, services, or systems;
  • Never share, redistribute, or mishandle data retrieved during your research;
  • Securely delete all data obtained during testing once it is no longer necessary or within 1 month of the vulnerability being resolved, whichever comes first (unless otherwise required by law).

Legal Considerations

This policy follows recognized best practices for responsible disclosure. It does not grant you permission to act in any way that would be illegal or cause Noralsy to violate its legal obligations, including (but not limited to):

  • The General Data Protection Regulation (GDPR – EU Regulation 2016/679);
  • The French Penal Code (especially regarding unauthorized access to IT systems);
  • The French Intellectual Property Code.

Noralsy will not take legal action against any security researcher who reports a vulnerability in good faith and in compliance with this policy.