We seek to deal in good faith with researchers who discover, test, and submit vulnerabilities or indicators of vulnerabilities in accordance with these guidelines:
- Notify us as soon as possible after the discovery of a real or potential security issue or upon gaining unauthorized access to a system.
- Do not harm and do not exploit any vulnerability beyond the minimal amount of testing required to confirm the vulnerability’s presence.
- Avoid intentionally accessing the content of any communications, data, or information transiting or stored on NuVasive information system(s) – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
- Do not exfiltrate any data under any circumstances.
- Do not conduct denial of service testing or any other testing that would impact the operation of NuVasive’s systems.
- Do not conduct any non-technical attacks such as social engineering (e.g., phishing) or physical testing (e.g., office access).
- Do not perform any brute-force attacks.
- Avoid tests that could cause degradation or interruption of the websites and services. Any automated requests/scanning must be kept to under 5 requests per minute.
If at any point you are uncertain whether to continue testing, please reach out to [email protected]. Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.