Security Vulnerability Disclosure Policy

1. Purpose

The purpose of this Security Vulnerability Disclosure Policy is to provide clear guidelines for the identification, reporting, and resolution of security vulnerabilities related to our systems, products, and services. This policy outlines the types of vulnerabilities that are considered within scope for investigation and resolution and those that are explicitly out of scope.

 

2. Scope

This policy applies to all individuals, including external security researchers, who wish to report potential security vulnerabilities in our systems, products, or services. It is designed to ensure that vulnerabilities are reported responsibly and handled in a manner that protects both our users and our systems.

 

3. In-Scope Vulnerabilities

The following types of vulnerabilities are considered in scope for this policy and will be addressed in accordance with our internal security processes:

  • Authentication Issues: Weaknesses in authentication mechanisms, credential stuffing, or bypassing login mechanisms.
  • Authorization Issues: Improper access controls, including escalation of privileges, unauthorized access to sensitive data, and improper role permissions.
  • Cross-Site Scripting (XSS): Any form of XSS, including stored, reflected, and DOM-based XSS, which may allow attackers to inject malicious scripts.
  • Cross-Site Request Forgery (CSRF): Vulnerabilities where attackers can trick users into performing actions they do not intend to, by exploiting the trust a web application has in the user's browser.
  • SQL Injection: Vulnerabilities that allow an attacker to interfere with the queries that an application makes to its database, potentially exposing or altering sensitive information.
  • Remote Code Execution (RCE): Any vulnerability that allows attackers to execute arbitrary code on a server or client machine.
  • Server-Side Request Forgery (SSRF): Exploits where attackers can make unauthorized requests from a vulnerable server.
  • Insecure Direct Object References (IDOR): Flaws where user-supplied input can expose or manipulate internal objects, allowing unauthorized data access.
  • Sensitive Data Exposure: Unintended exposure of sensitive information, including improper encryption, insecure transmission of data, or hardcoded credentials.
  • Security Misconfigurations: Default configurations, incomplete or ad-hoc configurations, open cloud storage, or other misconfigurations that could be exploited.

 

4. Out-of-Scope Vulnerabilities

The following types of vulnerabilities are explicitly out of scope for this policy and will not be supported or addressed:

  • Physical Attacks: Any vulnerability that requires physical access to the hardware or environment. This includes, but is not limited to, hardware tampering, physical theft, or access gained through social engineering.
  • Denial of Service (DoS) or Distributed Denial of Service (DDoS) Attacks: Any attack that relies on high bandwidth usage, network saturation, or resource exhaustion to disrupt service availability.
  • Social Engineering Attacks: Techniques that involve manipulating individuals to disclose sensitive information, such as phishing or impersonation attacks.
  • Vulnerabilities in Third-Party Services: Issues that are solely related to third-party services, frameworks, or libraries, where the vulnerability does not directly involve our own codebase or configurations.
  • Outdated Software: Vulnerabilities related to the use of outdated software or unsupported versions, where upgrading to a supported version would mitigate the issue.
  • Browser-Specific Issues: Bugs or vulnerabilities that are specific to certain web browsers or browser extensions, which do not pose a risk across multiple platforms.
  • Low-Risk Information Disclosures: Issues that involve minor information disclosure, such as version numbers or non-sensitive data, without a direct exploit path.
  • Self-Inflicted Misconfigurations: Issues arising from user errors, such as insecure configurations set by the user that do not reflect the default or recommended configuration of our systems or products.

 

5. Reporting Guidelines

When reporting a vulnerability, please include the following information to assist with a timely review and resolution:

  • A detailed description of the vulnerability, including the potential impact.
  • Steps to reproduce the issue, including any relevant proof-of-concept code or screenshots.
  • Any mitigation steps you have identified or tested.

Reports can be submitted via cert (at) hawe.com. Please include a clear subject line referencing the nature of the vulnerability.

 

6. Acknowledgment and Response

We are committed to acknowledging and responding to all vulnerability reports within a reasonable timeframe. Upon receiving a report, we will:

  • Acknowledge receipt of the report within 3 business days.
  • Assess the validity and impact of the reported vulnerability.
  • Provide an estimated timeline for resolution if the vulnerability is confirmed and in scope.

 

7. Legal Safe Harbor

We value the work of security researchers and are committed to ensuring that responsible reporting is free of legal risk. As long as you follow this policy, we will consider your findings in a responsible manner and will not pursue legal action related to your research.

 

8. Policy Updates

This policy may be updated from time to time to reflect changes in the security landscape or our own security practices. We encourage you to review this policy periodically for any updates.

 

9. Contact Information

For any questions or clarifications regarding this policy, please contact us at cert (at) hawe.com

---

This policy is designed to protect both our users and systems while fostering a collaborative environment for responsible vulnerability disclosure. Thank you for helping us maintain the security and integrity of our services.