Technical vulnerability disclosure statement

General technical vulnerability management program

NTT DATA, Inc. is committed to maintaining the security and integrity of our digital assets. We continuously invest in comprehensive security measures and regular audits to protect these assets. While we recognize the value of community engagement in security through bug bounty and similar programs, our focus is on using internal and contracted security expertise to maintain and enhance our security program.

We therefore do not compensate individuals or organizations for identifying potential or confirmed security vulnerabilities. Any requests for monetary or other compensation will be a violation of the terms of our Responsible Disclosure Program.

How to report a potential security vulnerability

If you have discovered a potential security vulnerability within NTT DATA, Inc. or one of our services or products, we would like to hear from you and strongly encourage you to disclose it to us as quickly as possible and in a responsible manner.

Please report your concern through our website and give us as much information as possible, including:

• An explanation of the potential security vulnerability
• A list of products and services that may be affected (where possible)
• Steps to reproduce the vulnerability
• The names of any test accounts you have created (where applicable)
• Your contact information

What happens next?

We are committed to reviewing all responsible disclosure reports. We ask that you maintain confidentiality and do not make your research public until we have completed our investigation and, if necessary, have remediated or mitigated the potential security vulnerability.

We request that you do not publicly disclose the details of any potential security vulnerabilities without our express written consent.

Subject to any regulatory and legal requirements, all reports will be kept strictly confidential, as will the details of the potential security vulnerability and the identity of all researchers involved in reporting it.

 

If potential security vulnerabilities are discovered and reported strictly in accordance with our Responsible Disclosure Program, we will not take legal action against security researchers in relation to the discovery and reporting of a potential security vulnerability.

In the event of any noncompliance, we reserve all our legal rights.

The following types of research are strictly prohibited:

• Accessing or attempting to access accounts or data that do not belong to you.
• Any attempt to modify or destroy any data.
• Executing or attempting to execute a denial of service (DoS) attack.
• Sending or attempting to send unsolicited or unauthorized email, spam or any other form of unsolicited messages.
• Social engineering of any NTT DATA employees, contractors, clients or any other party, including (but not limited to) approaching any individual physically or via electronic means, for example through phishing.
• Any physical attempts against our property or data centers, including (but not limited to) physical data centers, hosted infrastructure and office locations.
• Posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software that could impact our services, products, clients or any other party.
• Testing third-party websites, applications or services that integrate with our services or products.
• Using automated vulnerability scanners.
• Exfiltrating any data under any circumstances.
• Any activity that violates any law.

We will consider taking legal action against anyone found to be performing any of the above actions.

Recognition of reported vulnerabilities

Once the investigation has been completed, we may, at our discretion and subject to the researchers’ consent, recognize the researchers involved. We will not, however, provide them with any form of compensation.

If a report is found to be a duplicate or is otherwise already known to us, the report will not be eligible for public recognition.