Security Disclosure Policy
 
Responsible Vulnerability Disclosure
Navigazione Libera del Golfo S.p.A. is committed to maintaining the security and integrity of its digital services and infrastructure.
We welcome responsible disclosure of potential security vulnerabilities that may affect our websites, applications, or systems, provided that such disclosures comply with the guidelines outlined below.

Scope
This policy applies to:
Publicly accessible websites and web applications operated by Navigazione Libera del Golfo S.p.A.
Online services owned and managed by the company
This policy does not apply to:
Third-party services or platforms not directly controlled by us
Denial-of-service (DoS/DDoS) testing
Social engineering, phishing, or physical security testing

Guidelines for Responsible Disclosure
If you believe you have discovered a security vulnerability, we ask that you:
Do not exploit the vulnerability beyond what is strictly necessary to confirm its existence
Do not access, modify, delete, or exfiltrate data
Do not attempt to disrupt services or degrade performance
Do not disclose the issue publicly before it has been reviewed
Provide sufficient technical detail to allow us to understand and evaluate the report
Reports should include, where possible:
A clear description of the issue
Affected URL(s) or system(s)
Steps to reproduce
Proof of concept (if applicable)

Reporting a Vulnerability
Security issues can be reported via email to:
ufficioced@nlg.it
Please include “Security Vulnerability Report” in the subject line.
All reports will be reviewed by our technical team as part of our internal security assessment process.

Bug Bounty & Compensation
Navigazione Libera del Golfo S.p.A. does not operate a public or private bug bounty program.
Submission of a vulnerability report does not entitle the reporter to any financial compensation, reward, or bounty, regardless of the validity or impact of the finding.

Legal Safe Harbor
When conducted in good faith and in accordance with this policy, we will not pursue legal action against individuals who responsibly report security vulnerabilities.
This assurance does not apply to:
Malicious activity
Exploitation beyond verification
Attempts to extort, demand compensation, or apply pressure for rewards

Acknowledgment
We appreciate the efforts of the security community in helping improve the safety of digital systems and thank all researchers who follow responsible disclosure practices.

Policy Updates
This policy may be updated at any time without prior notice.
The latest version will always be available on our official website.

Version
Last updated: January 2026