VULNERABILITY DISCLOSURE POLICY

LAST UPDATED: APRIL 2026

SECTION 1 - INTRODUCTION

1.1 At Nelko, the security of our customers and the integrity of our hardware and digital ecosystem are our top priorities. We are committed to ensuring that personal information is protected carefully and handled with discretion. We appreciate the efforts of security researchers who help us identify and fix potential vulnerabilities.

SECTION 2 - SAFE HARBOR (LEGAL PROTECTION)

2.1 Nelko considers security research conducted in accordance with this policy to be authorized. If you comply with the guidelines below, we commit to the following:

2.2 No Legal Action: We will not initiate legal action against researchers who discover and report vulnerabilities in good faith.

2.3 Cooperation: We will work with you to understand and resolve the issue quickly.

2.4 No Harassment: We will not pursue or support law enforcement investigations into your research, provided it remains within the scope of this policy.

SECTION 3 - SCOPE OF TESTING

3.1 To protect our users and infrastructure, we have strictly defined the boundaries of what is "in-scope."

3.2 In-Scope:

3.2.1 Official Domain: .nelko.net

3.2.2 Software: Official Nelko-branded mobile applications and printing software.

3.2.3 Hardware: Firmware and communication protocols of Nelko-branded printers.

3.3 Out-of-Scope:

3.3.1 Third-Party Services: Services hosted by third parties (e.g., Shopify, PayPal, Mailchimp).

3.3.2 Physical Security: Attacks against Nelko’s physical offices, warehouses, or personnel.

3.3.3 Social Engineering: Phishing or deceptions targeting Nelko employees or customers.

SECTION 4 - REPORTING PROCESS

4.1 If you believe you have found a security vulnerability, please submit a report to: security@nelko.net.

4.2 Required Report Details:

4.2.1 A detailed description of the vulnerability and its potential impact.

4.2.2 The affected URL, application, or hardware model.

4.2.3 Step-by-step instructions or Proof-of-Concept (PoC) to reproduce the issue.

4.2.4 Suggested mitigation or remediation actions.

SECTION 5 - GUIDELINES FOR RESEARCHERS

5.1 To remain protected under the Safe Harbor clause, researchers must:

5.2 Protect Privacy: Avoid accessing, modifying, or deleting data that does not belong to you.

5.3 No Data Exfiltration: Do not download or store more data than is strictly necessary to prove the vulnerability exists.

5.4 No Public Disclosure: Do not share or publish vulnerability details until Nelko has had a reasonable amount of time to resolve the issue.

5.5 No Monetary Rewards: Nelko does not offer any monetary (cash) rewards for identified vulnerabilities. Do not demand payment or compensation in exchange for vulnerability information.

SECTION 6 - NELKO’S COMMITMENT

6.1 Response Timeline: Nelko is committed to a transparent and timely response. We will acknowledge receipt of your report within 72 hours. For vulnerabilities verified as critical, we aim to provide an initial assessment and feedback as soon as possible. We will provide regular status updates until the issue is resolved.

6.2 Regular Updates: We will keep you up to date on our progress and inform you of the final outcome.

6.3 Prioritization: We will assign a severity level to every reported vulnerability and prioritize it based on the risk it poses to the privacy of our customers.

6.4 Product Rewards (Swag): At our sole discretion, Nelko may provide product rewards (such as printers or consumable gift sets) to researchers who report significant, verified vulnerabilities as a token of our appreciation.

6.5 Recognition: With your permission, we may provide public recognition for significant contributions through our official channels.