IT Get in touch

Vulnerability Disclosure Policy

We value responsible reports. This page explains how to disclose a vulnerability to us and which rules to follow.

Last update: 23 June 2026

noze S.r.l. treats security as a priority. If you have found a potential vulnerability in our public services, we ask you to report it responsibly by following the guidance below.

1. How to report

To submit a report, use our contact form: the «Security report» topic is already preselected. To help us reproduce and assess the issue, please include in your message, where possible:

  • a clear description of the vulnerability and its potential impact;
  • the steps needed to reproduce it (URL, parameters, non-destructive payloads);
  • any detail useful to reproduce the issue (logs, text-based evidence), avoiding the inclusion of third-party personal data.

The same channel is referenced in /.well-known/security.txt according to the RFC 9116 standard.

2. Accepted languages

We accept reports in Italian and English.

3. Scope

This policy covers domains and subdomains owned by noze (for example www.noze.it and its subdomains). The third-party platforms we use (for example newsletter, anti-bot, analytics or hosting services) remain subject to their own security programmes: any issues affecting them should also be reported to the respective providers.

4. Rules of engagement

To protect users, data and service continuity, we ask you not to:

  • perform Denial of Service (DoS/DDoS) attacks or load/stress testing;
  • conduct social engineering, phishing or deception attempts against staff, customers or suppliers;
  • send spam or bulk messages through our forms;
  • access, modify, exfiltrate or retain third-party personal data;
  • carry out mass scraping or aggressive, high-volume scanning;
  • run destructive tests or tests that degrade the availability and integrity of the services.

Testing must be authorised, targeted and low-impact. Limit your checks to the minimum needed to demonstrate the issue and stop as soon as you have gathered the proof.

5. Handling

We aim to acknowledge reports as soon as possible and to assess them carefully. We do not currently run a rewards programme (bug bounty): no financial rewards are offered for reports.

6. Good faith

For those acting in good faith, in compliance with this policy and applicable law, we will not pursue legal action related to the research activity carried out. We ask you to allow us a reasonable amount of time to analyse and fix the issue before disclosing it publicly.

Contact us

Need support? Under attack? Service Status
Need support? Under attack? Service Status