Coordinated Vulnerability Disclosure (CVD) Policy

This policy applies to:

• All Nedap products (hardware, software, firmware, SaaS)
• Online platforms and portals operated by Nedap
• Nedap-managed infrastructure and cloud environments
• Domains owned and operated by Nedap

If certain systems are excluded from this CVD policy, this will be clearly stated on the relevant website. Please do not use the contact methods mentioned below for requests for general support or complaints.

Reporters should only report vulnerabilities that:

• Are genuine and reproducible.
• Affect a Nedap product, service, firmware, hardware, or internet-facing system.
• Have a realistic potential for exploitation.

Examples (not exhaustive) include SQL injection, command injection, remote code execution or similar vulnerabilities; cross-site scripting (XSS) with real impact; broken access control, authentication bypass vulnerabilities or privilege escalation issues (e.g., access to other users' data); exposure of sensitive data, including hardcoded credentials or insecure default configurations and security misconfigurations or cryptographic weaknesses that create exploitable risk.

If you are unsure whether something qualifies, feel free to report it - we’re happy to review.

Examples of what is generally out of scope

The following are typically not considered security vulnerabilities unless there is clear, demonstrated impact:

• Automated scanning results without validation, such as version headers or other information disclosures;
• Missing HTTP security headers without practical exploitability;
• Older TLS configurations without practical exploitability;
• Rate-limiting suggestions without proof of abuse;
• Theoretical vulnerabilities without practical impact;
• Clickjacking on non-sensitive pages; denial-of-service testing using high traffic volumes;
• Social engineering or phishing attempts;
• Physical security testing and issues in third-party systems not managed by Nedap.

If your report falls outside scope, we will let you know.

If you discover a potential security issue, please report it through one of the following:

• Send an email to our Coordinated Vulnerability Disclosure email address: cvd@nedap.com
• Use the web form on Zerocopter

To help us respond quickly, please include:

• A clear description of the issue
• The affected product, service, URL, or system
• Steps to reproduce the issue
• Proof of concept (if applicable and safe)
• The potential impact
• Your contact details

We ask that you:

• Act in good faith
• Do not disrupt our services
• Do not access, modify, or delete data that does not belong to you
• Do not exploit vulnerabilities beyond what is necessary to demonstrate them
• Do not use social engineering, phishing, or physical intrusion techniques
• Give us reasonable time to investigate and fix the issue before public disclosure

If you accidentally access sensitive information:

• Stop immediately
• Do not store or share the data
• Inform us right away

If you follow this policy and act in good faith:

• We will not initiate legal action against you
• We will not report your research to law enforcement
• We will treat your testing as authorized under this policy

This safe harbor applies only to research conducted in compliance with this policy and does not extend to activities that intentionally compromise data confidentiality, privacy rights, or applicable law.

When you report a vulnerability, we:

• Aim to acknowledge receipt within 2 working days (no later than 5 working days)
• Assess and validate the report
• Keep you reasonably informed of progress
• Prioritize remediation based on risk

We use structured vulnerability management processes aligned with ISO 27001 security management practices, Dutch National Cyber Security Centre (NCSC) guidelines and the EU NIS2 Directive.

As an organization operating under NIS2 cybersecurity requirements, we take vulnerability handling, risk management, and incident response seriously. Responsible disclosure helps us improve resilience across all business units.

We follow coordinated disclosure principles.

Our general approach is that vulnerabilities are assessed using CVSS (Common Vulnerability Scoring System) or an equivalent risk-based methodology. Critical vulnerabilities are addressed as quickly aspossible; all other scores result in a respective target resolution time. Default target for resolving coordinated disclosure vulnerabilities is within 90 days.

If a fix takes longer, we will communicate transparently.

If customer risk is significant, we may publish mitigation guidance earlier.

We prefer to coordinate public disclosure together with you. If you would like to be acknowledged in asecurity advisory, we are happy to do so.

For vulnerabilities affecting firmware in Nedap products, we aim to develop and make available a corrected firmware version within the applicable targeted resolution time.

However, once a patched firmware version has been released, the installation of that update by customers, clients, or business partners depends on their own operational planning and deployment processes. The time required for third parties to implement firmware updates is outside the scope of this policy and outside Nedap’s direct control.

We strongly encourage timely installation of security updates once they are made available.

While we do not operate a formal bug bounty program, we appreciate responsible disclosure and may offer recognition at our discretion.

This policy does not grant permission to violate applicable laws or regulations. You remain responsible for complying with all laws while conducting research.