Disclosure Policy
NIIS supports the responsible disclosure of vulnerabilities. However, due to X-Road’s use in government agencies worldwide, it is necessary for NIIS to ensure that sufficient time is available for users to patch their instances of X-Road prior to the public disclosure of any vulnerability. As such, we ask that you mention your intention to publicly disclose a vulnerability when you submit a finding to this program and wait for NIIS to grant approval before publicly disclosing your findings. Findings that are publicly disclosed without NIIS approval will not be eligible for a bounty.