Česky
Security Team

Nux s.r.o. CSIRT

CSIRT (Computer Security Incident Response Team) is the dedicated security team of Nux s.r.o., responsible for detecting, analysing, and resolving cybersecurity incidents within its defined scope of operations. The team provides continuous security monitoring, coordinates incident response, and protects the IT infrastructure of the organisations under our management. It also serves as the central point of contact for reporting security incidents and vulnerabilities.

We are members of TF-CSIRT (Trusted Introducer), the European community of accredited CSIRT and PSIRT teams. This membership allows us to share threat intelligence with trusted partners, coordinate incident response internationally, and receive early warnings about emerging security risks.

Primary contact

CSIRT Contact

For reporting security incidents, coordination, and general communication with the team.

E-mail
csirt [at] nux.cz
PGP

PGP Key ID: 0xE2E296B8435B47F4

Fingerprint: 274E 05C1 3B76 3AD4 5597 4210 E2E2 96B8 435B 47F4

Email is the preferred communication channel. For sensitive communications, we recommend using PGP encryption. We follow the TLP (Traffic Light Protocol) standard when sharing incident information.

Vulnerability reports

Security Vulnerabilities

Please use this address exclusively for vulnerability reports under our Responsible Disclosure program — not csirt@nux.cz.

E-mail
security [at] nux.cz
PGP

PGP Key ID: 0x9822C75134722D33

Fingerprint: 2D4C 7711 7D27 3652 6303 163D 9822 C751 3472 2D33

Before submitting, please review the program scope.

Report a Vulnerability

User Issues / Helpdesk

Need help with a user issue, password reset, or email problem? Please contact our helpdesk — not the CSIRT team.

Helpdesk

Phone Contact

Phone (Mon–Fri 8 am – 6 pm):

+420 250 250 500

This line is intended for urgent reporting of security incidents within our managed infrastructure.

Scope of Operations

The CSIRT team oversees:

Internal IT infrastructure of companies

  • Nux s.r.o.
  • 2 digital s.r.o.
  • Webkeeper s.r.o.
  • tvmen s.r.o.

Server operations in individual datacenters

Operation and oversight of the servers that run services for the companies listed above and their customers.

DNS server services

  • ns1.nux.cz
  • ns2.nux.eu
  • ns3.nux.cloud

Application services provided to customers

Web and server applications operated within our managed infrastructure.

Managed Infrastructure Areas

IPv4 ranges

  • 80.95.247.208/28
  • 80.95.253.48/28
  • 80.95.253.64/27
  • 80.95.253.128/28
  • 89.233.129.0/27
  • 89.233.129.64/27
  • 89.233.137.32/27
  • 89.233.139.96/27
  • 193.86.126.96/27
  • 212.67.65.128/28

Domains

Domains registered to the holder NUX (Nux s.r.o.).

Vulnerability Reporting — in detail

Please use security [at] nux.cz exclusively to report security vulnerabilities. This address is dedicated to our Responsible Disclosure program, and reports are routed directly into our ticketing system.

Before submitting a report, please review the program scope — it explains what is in scope for testing, which activities are prohibited, and what your report should contain. For sensitive communications, we recommend using PGP encryption (key fingerprint above).

For urgent reports concerning our managed infrastructure, you can also call +420 250 250 500 (Mon–Fri 8 am – 6 pm).

csirt

Responsible Disclosure Policy

The security of our systems, customer data, and infrastructure is a priority for us. We welcome responsible reports of vulnerabilities affecting systems within our scope of operations. This page sets out the rules of cooperation between security researchers and Nux s.r.o.

Scope — what is included

Responsible testing covers:

  • Production services (web applications, APIs) operated by Nux s.r.o.
  • Internet-facing systems that are clearly owned or operated by Nux s.r.o.

If you are unsure whether a system is in scope, please contact us before you begin testing.

Out of Scope

  • Development, test, or staging environments
  • Subdomains without an active service
  • Third-party systems (hosting, CDN, SaaS providers)
  • Cloud infrastructure not directly managed by Nux s.r.o.
  • Employee email accounts
  • OSINT findings with no demonstrable security impact

Prohibited Activities

The following activities are prohibited without prior written consent from CSIRT Nux:

  • DoS / DDoS attacks or any deliberate disruption of service availability
  • High-intensity automated scanning that affects normal operations
  • Social engineering targeting employees or partners
  • Attempts to gain physical access to our premises
  • Unauthorised access to, exfiltration, modification, or deletion of data
  • Accessing other customers' data
  • Testing outside the defined scope

Testing must be carried out in a way that minimises any impact on the availability, integrity, and confidentiality of our services.

What we typically do not consider a vulnerability

Unless a real impact is demonstrated:

  • Missing security headers without demonstrable exploitability
  • Server version disclosure
  • SPF / DKIM / DMARC misconfiguration that cannot be exploited
  • Self-XSS
  • Clickjacking without a sensitive context
  • Rate limiting issues without real impact
  • Generic best-practice recommendations without a concrete exploit

How to report a vulnerability

Your report should include:

  • A detailed description of the vulnerability
  • Steps to reproduce
  • Expected vs. actual behaviour
  • Security impact (confidentiality, integrity, availability)
  • A proof of concept where applicable (without disclosing sensitive data)

Safe Harbor

If you act in good faith, within the defined scope, and without causing intentional harm, Nux s.r.o. will not pursue legal action against you and will work with you to remediate the vulnerability.

Coordinated Disclosure

  • Acknowledgement of your report: within 48 hours
  • Initial assessment: within 5 working days
  • Standard remediation and disclosure window: 90 days
  • Public disclosure is only possible by mutual agreement.

Rewards

Nux s.r.o. may grant a financial reward for significant security vulnerabilities. The amount is determined individually based on severity (CVSS), impact, and the quality of the report.

Severity Example Indicative reward
Critical RCE, authentication bypass, privilege escalation > 20 000 CZK
High SQL injection, IDOR exposing sensitive data 10 000 – 20 000 CZK
Medium Stored XSS, significant CSRF 3 000 – 10 000 CZK
Low Reflected XSS with limited impact 1 000 – 3 000 CZK

We reserve the right not to grant a reward if the report does not meet the program criteria.