Responsible disclosure

Responsible disclosure

© 2021 Computicate BV.
Responsible Disclosure

At Computicate Business Automation, we consider the security of our systems, our network and our products of utmost importance. Despite the great care we take regarding security, weak points can still remain. If you have found such a weakness, we would like to hear about it as soon as possible so that we can take appropriate measures as quickly as possible.

Weak points can be discovered in two ways: you can accidently come upon something during the normal use of Computicate Business Automation, or you can explicitly do your best to find them. Our responsible disclosure policy is not an invitation to actively scan our business network or application to discover weak points. We monitor our business network and application ourselves. This means that there is a high chance that a scan will be detected, and that an investigation will be performed by our Security Operation Center (SOC), which could result in unnecessary costs.

Our responsibility to our customers means that our intention is not to encourage hacking attempts on the infrastructure and the product; however, we would like to hear from you as quickly as possible if vulnerabilities are found, so that we can resolve them adequately. We would like to work with you to better be able to protect our customers and our systems.

We ask that you:

  • E-mail your findings as quickly as possible to responsibledisclosure@computicatepsa.com
  • Do not abuse the vulnerability; for example, by downloading, editing or deleting data. We will always take your report seriously and investigate any suspicions of a vulnerability, even without proof.
  • Do not share the problem with others until it has been resolved.
  • Do not make use of attacks on physical security, of social engineering or hacking tools, such as vulnerability scanners.
  • Give adequate information for the problem to be reproduced so that we can resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability are enough, although more information might be necessary for more complex vulnerabilities.

What we promise:

  • We will respond to your report within three business days, with our evaluation of the report and an expected resolution date.
  • We will handle your report confidentially, and will not share your personal information with third parties without your permission. An exception to this is the police and judiciary in the event of prosecution or if information is demanded.
  • We will keep you informed of the progress of the solution to the problem.
  • In communication about the reported problem, we will state your name as the party that discovered the problem, if you wish.
  • It is unfortunately not possible to guarantee in advance that no legal action will be taken against you. We hope to be able to consider each situation individually. We consider ourselves morally obligated to report you if we suspect the weakness or data are being abused, or that you have shared knowledge of the weakness with others. You can rest assured that an accidental discovery in our online environment will not lead to prosecution.
  • As thanks for your help, we offer a reward for every report of a security problem that is not known to us. We determine the value of the reward on the basis of the seriousness of the breach and the quality of the report.

We strive to resolve all problems as quickly as possible, to keep all involved parties informed and we would like to be involved in any publication about the problem once it is resolved.

Out of Scope

We do not accept reports of the following categories

  • Ability to perform an action unavailable via user interface without identified security risks
  • Ability to send emails with no control over content without any limits
  • Any activity that could lead to the disruption of our service (DoS)
  • Attacks that require MiTM or physical access to a user’s device
  • Clickjacking
  • Content spoofing and text injection
  • CSV injection without demonstrating a vulnerability
  • Disclosure of non-sensitive information, like product version, file path on a server, stack trace, etc.
  • Disclosure of private IP addresses or domains pointing to private IP addresses
  • Leakage of sensitive tokens (e.g. password reset token) to trusted third parties on secure connection (HTTPS)
  • Missing best practices in SSL/TLS configuration
  • Missing best practices in DNS configuration (DKIM/DMARC/SPF/TXT)
  • Missing best practices in HTTP headers without demonstrating a vulnerability
  • Missing notifications about important actions
  • Missing protection mechanism or best practices without demonstration of real security impact for user or system
  • Previously known vulnerable libraries without a working proof of concept
  • Reports that include only crash dumps or automated tool output without a working proof of concept
  • Unauthenticated/login/logout CSRF
  • User enumeration
  • Vectors that require unpatched environment (e.g. missing Windows updates, unpatched browsers)

Informative

  • Open redirects are closed as informative, excluding cases when redirect can be used as a part of exploit chain – for instance OAuth token leak and so on. In such cases, the whole issue will be rated according to the final impact and exploitability
  • Ability to send emails with some user input without any limits
  • Disclosure of JavaScript API keys (e.g. API key for external map service)
  • Broken links to unclaimed social media and similar pages