NAVTOR Vulnerability Disclosure Policy (VDP)

Purpose

NAVTOR welcomes good‑faith security research and coordinated vulnerability disclosure. This policy defines how to report potential vulnerabilities to NAVTOR and what you can expect from us in return.

​

NAVTOR welcomes vulnerability reports from third parties, including reports arising from customer-authorized assessments. However, this policy’s authorization/safe harbor applies only to activity conducted in accordance with this policy and/or NAVTOR’s written authorization.

 

Where a report concerns customer environments, NAVTOR will coordinate validation through the customer and/or a NAVTOR-approved test plan.

 

Definitions

Operationally Critical Systems - Operationally Critical Systems include: production services; systems supporting delivery of NAVTOR products (including portals, cloud services, APIs); customer or partner environments; shipboard or navigation-related operational deployments; and any system where testing could impact safety, navigation, availability, or customer operations.

​

Passive validation - Non-invasive verification that does not alter state, access non-public data, or generate traffic beyond normal user interaction.

​

Authorized Research – Policy compliant activity within scope, and written authorization where required.

 

Scope

In scope: NAVTOR products and services expressly listed here (the "Covered Systems"). Out of scope: third‑party products or services, social engineering (phishing, vishing), physical security, and denial‑of‑service or stress testing. If you are unsure whether a system is covered, please ask before testing.

​

If you want to conduct testing beyond passive validation, email security@navtor.com with: targets, methods/tools, expected traffic volumes, timeframe, source IPs, and rollback plan. Testing may begin only after NAVTOR provides written authorization specifying scope and time window.

​

Do not test customer/partner environments unless you have explicit written permission from both the customer (asset owner) and NAVTOR.

​

Covered Systems: This policy applies to security vulnerabilities in NAVTOR’s customer‑facing products and services and their NAVTOR‑operated supporting components (such as associated web portals, cloud services, and APIs used to deliver these products), specifically including

​

NavBox

Digital Logbooks

NavTracker

NavFleet

NavCLAN

NavStation

NavTV

NavReporting

ECDIS SDK/OEM

​

Covered Systems are in scope for vulnerability reporting. Active testing is only permitted as described in this policy and, beyond passive validation, requires NAVTOR’s prior written authorization.

 

How To Report

Please send reports to: security@navtor.com. Include a description, clear reproduction steps or proof‑of‑concept, affected versions/builds, impact, and suggested mitigations. If you need encrypted communication, say so in your initial report; we can exchange a PGP key or agree on an alternative secure channel.

 

Safe Harbor (Authorization for Good‑Faith Research)

NAVTOR authorizes only the specific research activities expressly permitted by this policy and only against the Covered Systems as defined herein. Any other security testing - especially testing that could impact availability, safety, customer environments, data, or business operations - is not authorized and must not be performed without NAVTOR’s prior written permission.

​

If you make a good-faith effort to comply with this policy and remain within the permitted activities, NAVTOR will not initiate legal action against you for accidental, good-faith violations of this policy. This does not apply to unlawful, malicious, disruptive, or out-of-scope activity.

 

Testing Rules of Engagement

• Do not access, modify, or exfiltrate data beyond what is necessary to demonstrate a finding. Use test data whenever possible.

• Avoid actions that degrade, disrupt, or deny our services (e.g., DoS, brute force, resource exhaustion).

• No social engineering, phishing, or physical access attempts.

• Respect privacy. If you encounter personal or confidential information, stop testing and report immediately.

• Limit testing to Covered Systems; do not use automated scanners at rates that could impact availability.

 

Stop Conditions (Mandatory):

You must immediately stop testing and notify NAVTOR if you:

(a) encounter personal/customer/confidential data;

(b) observe service degradation;

(c) trigger alarms/lockouts; or

(d) believe continued activity could impact customers or operations.

​

Operational Safety & Permission Requirement (Operationally Critical Systems)

NAVTOR’s systems and customer operations include operationally critical environments where testing can create safety, availability, or customer-impact risk. Any testing that could reasonably affect the confidentiality, integrity, or availability of NAVTOR systems/services or any customer environment must only be performed after prior written authorization from NAVTOR and in coordination with NAVTOR. Testing without such authorization is prohibited.

 

Our Commitments

• Acknowledge receipt of your report within 4 business days and provide a tracking ID.

• Work in good faith to validate, triage (using risk and CVSS as appropriate), and remediate.

• Provide status updates at reasonable intervals based on severity.

• Coordinate disclosure with you, targeting a 90‑day window. We may extend this when remediation is complex or where safety, multi‑party dependencies, class/flag approvals, or fleet deployment constraints apply.

 

Coordinated Disclosure

We prefer to disclose only after fixes are available and deployed. NAVTOR may make limited pre‑disclosure notifications under confidentiality to regulators, class/flag authorities, and affected customers when required for safety or compliance. We are happy to recognize researchers publicly with mutual consent after coordinated disclosure.

 

No Bounty Implied

This VDP is not a bug bounty program and does not offer financial rewards. Where applicable, NAVTOR may, at its sole discretion, offer recognition.

 

Privacy and Data Handling

Please avoid accessing personal data. If unavoidable to demonstrate impact, collect the minimum necessary, protect it, and delete it after reporting. NAVTOR will treat your report as confidential prior to coordinated disclosure.

 

Assumption of Risk; Third‑Party Acts.

Assumption of risk applies to activity outside Authorized Research.

Security testing performed without NAVTOR’s prior written authorization is conducted at the tester’s sole risk. To the maximum extent permitted by applicable law, NAVTOR disclaims liability for damages, service disruption, losses, or claims arising from or related to any third party’s unauthorized or unsolicited security testing activities.

 

Contact

Security contact: security@navtor.com

Security.txt: https://www.navtor.com/.well-known/security.txt

Policy URL: https://www.navtor.com/security/vulnerability-disclosure

Encryption: Available on request (PGP key exchange or alternative secure channel)