Česky
Security Team

Nux s.r.o. CSIRT

CSIRT (Computer Security Incident Response Team) is a security team that handles cybersecurity incidents related to services provided by the companies under our management and ensures oversight of the IT infrastructure's cybersecurity.

CSIRT Contacts

E-mail
csirt@nux.cz
PGP

PGP Key ID: 0xE2E296B8435B47F4

Fingerprint: 274E 05C1 3B76 3AD4 5597 4210 E2E2 96B8 435B 47F4

Phone

Phone (Mon–Fri 8 am – 6 pm): +420 250 250 500

User Issues / Helpdesk

If you are dealing with a user issue with an application or your account, changes, renewals, forgotten passwords, or problems with receiving or sending emails, please contact our helpdesk (not the CSIRT team).

Helpdesk

Scope of Operations

The CSIRT team oversees:

Internal IT infrastructure of companies

  • Nux s.r.o.
  • 2 digital s.r.o.
  • Webkeeper s.r.o.
  • tvmen s.r.o.

Server operations in individual datacenters

Operation and oversight of servers that ensure the operation of services for the above-mentioned companies and their customers.

DNS server services

  • ns1.nux.cz
  • ns2.nux.eu
  • ns3.nux.cloud

Application services provided to customers

Web and server applications operated within the managed infrastructure.

Managed Infrastructure Areas

IPv4 ranges

  • 80.95.247.208/28
  • 80.95.253.48/28
  • 80.95.253.64/27
  • 80.95.253.128/28
  • 89.233.129.0/27
  • 89.233.129.64/27
  • 89.233.137.32/27
  • 89.233.139.96/27
  • 193.86.126.96/27
  • 212.67.65.128/28

IPv6 ranges

— not yet defined —

Domains

Domains registered to the holder NUX (Nux s.r.o.).

Vulnerability Reporting Contacts

To report security incidents or vulnerabilities, please contact us via the CSIRT team email. For sensitive communications, please use PGP.

CSIRT Contact

PGP

PGP Key ID: 0xE2E296B8435B47F4

Fingerprint: 274E 05C1 3B76 3AD4 5597 4210 E2E2 96B8 435B 47F4

Phone Contact

Phone (Mon–Fri 8 am – 6 pm):
+420 250 250 500

The phone is used for urgent reporting of security incidents within the managed infrastructure.

Responsible Disclosure Program

The security of our systems, customer data, and infrastructure is essential to us. If you identify a security vulnerability concerning Nux s.r.o. systems, we appreciate your responsible report. This page defines the rules of cooperation between security researchers and Nux.

Scope – what is in scope for testing

Responsible testing scope includes:

  • Production services (web applications, APIs) operated by Nux s.r.o.
  • Systems that are publicly available from the internet and clearly belong to Nux s.r.o. If you are unsure about the nature of a specific system, please contact us before starting testing.

Out of Scope

  • Development, testing, or staging environments
  • Subdomains without active services
  • Third-party systems (hosting, CDN, SaaS providers)
  • Cloud infrastructure operated by a third party outside the direct management of Nux s.r.o.
  • Employee email accounts
  • OSINT findings without real security impact

Prohibited Activities

Without prior written consent from CSIRT Nux, it is prohibited to:

  • DoS / DDoS attacks or intentional overloading of infrastructure
  • High-intensity automated scanning that may affect service availability
  • Social engineering against employees or partners
  • Attempts at physical access to company premises
  • Intentional exfiltration, deletion, or modification of data
  • Access to other customers' data
  • Testing outside the defined scope

Testing must be conducted in a manner that minimizes impact on service availability and integrity.

What we typically do not consider a vulnerability

  • Missing security headers without demonstrable exploitability
  • Server version disclosure
  • SPF / DKIM / DMARC misconfiguration without exploitability
  • Self-XSS
  • Clickjacking without sensitive context
  • Rate limiting issues without real impact
  • Best practice recommendations without a specific exploit

How to report a vulnerability

The report should include:

  • Detailed description of the vulnerability
  • Steps to reproduce
  • Expected vs. actual behavior
  • Impact on security (confidentiality / integrity / availability)
  • Optional PoC (without disclosing sensitive data)

Safe Harbor

If you act in good faith, within the defined scope, and without causing intentional damage, Nux s.r.o. will not take legal action against you and will work with you to remediate the vulnerability.

Coordinated Disclosure

  • Report acknowledgment: within 48 hours
  • Initial assessment: within 5 working days
  • Standard remediation and disclosure time: 90 days
  • Public disclosure of the vulnerability is possible only after mutual agreement.

Rewards

Nux s.r.o. may grant a financial reward for significant security vulnerabilities. The reward is determined individually based on severity (CVSS), impact, and report quality.

Severity Example Estimated Reward
Critical RCE, auth bypass, privilege escalation >20 000 CZK
High SQLi, IDOR with sensitive data exposure 10 000 - 20 000 CZK
Medium Stored XSS, significant CSRF 3 000 – 10 000 CZK
Low Reflected XSS with limited impact 1 000 – 3 000 CZK

We reserve the right not to award a bounty if the vulnerability does not meet the program criteria.