Responsible Disclosure Policy
Updated: June 27, 2017
At Cofense, Inc., we take the security of our users’ data very seriously. If you have discovered or believe you have discovered potential security vulnerabilities in a Cofense Service or Product, we encourage you to disclose your discovery to us as quickly as possible in accordance with this Responsible Disclosure Policy.
We will work with you to validate and respond to security vulnerabilities that you report to us. Because public disclosure of a security vulnerability could put the entire Cofense’s user community at risk, we require that you keep such potential vulnerabilities confidential until we are able to address them. We will not take legal action against you, provided that you discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy.
Responsible Disclosure Policy
While working to identify security vulnerabilities, Cofense asks that you:
- Share any issues that you discover with us via [email protected], as soon as is practical
- Provide Cofense reasonable amount of time to review and address reported issues before making them public (minimum 45 days after verification of vulnerability)
- Do not attempt to access or modify any user data that is not your own.
- Please do nothing to degrade the performance of our services (e.g. via automated scanning, brute forcing, or denial of service attacks)
- Do not post, transmit, upload, link to, send or store malware, viruses or similar harmful software.
- Report issues defined within scopes below.
- Check our list of non-qualifying vulnerabilities to make sure that you aren’t spending time chasing down a vulnerability that isn’t going to qualify for our Security Researcher Hall of Fame (bottom of page).
Scope
Vulnerabilities affecting the following domains are in scope and may qualify for a bounty:
- Cofense PhishMe
- Cofense Triage License Server
- Cofense ThreatHQ API Server
- Cofense Reporter
Reporting Security Vulnerabilities
If you believe you have discovered a security vulnerability issue, please share the details with Cofense by sending an email to [email protected]. In reporting a potential security vulnerability issue please include the following:
- An adequate description and information regarding the security vulnerability that will allow Cofense to reproduce your steps and the issue,
- Proof of Concept
- How the attack could be executed in a real world scenario to compromise user accounts or data
- Your email address
- Your name and Twitter handle as you would like it to appear in our Security Researcher Hall of Fame (if selected).
Cofense will acknowledge receipt of your report within One Business Day, provide you with an estimated timetable for resolution of the vulnerability, notify you when the vulnerability is fixed, and, with your permission, publicly acknowledge your responsible disclosure.
Qualifying Vulnerabilities
Examples of qualifying vulnerabilities likely to be eligible for Hall of Fame recognition include:
- Cross-Site Scripting (XSS) affecting supported browsers (Chrome/latest, Firefox/latest, Safari/6, IE/10+)
- Cross-Site Request Forgery (CSRF)
- SQL Injection
- Missing/Broken Authentication
- Remote Code Execution
- Privilege Escalation
Non-Qualifying Issues
Not all issues are in the scope of our program, including some issues that may have been accepted by other programs. Please be aware of these non-qualifying issues before beginning your research and submitting any reports.
Examples of non-qualifying vulnerabilities (not eligible for a shout-out in our Hall of Fame) include:
- Reports from automated tools or scanners
- Theoretical attacks without actual proof of exploitability
- Denial of Service attacks
- Brute force attacks (e.g. on passwords or tokens)
- Username or email address enumeration
- Spamming
- Issues with third-party applications
- Issues with domains not owned by Cofense Inc (see the scope above)
- Social engineering of Cofense staff or users
- Vulnerabilities obtained through compromising Cofense user or employee accounts
- Attacks involving any user accounts not created by you
- Physical attacks against Cofense Inc offices or data centers
- Attacks involving physical access to a user’s device, or involving a device or network that is already seriously compromised (e.g. man-in-the-middle attacks)
- Missing security headers that do not lead directly to a vulnerability
- Click-jacking
- Content Spoofing
- Cookies missing secure/Http only
- Bugs that rely on an unlikely user interaction (i.e. the user effectively attacking themselves)
- Issues related to password and account recovery policies (e.g. password complexity requirements)
- Issues related to board and organization invitation policies
- Issues related to having auto-complete enabled (i.e. not explicitly disabled) on password inputs
- Disclosure of tools, libraries used by Cofense and/or their versions
- Open redirects on domains other than Cofense.com
- Issues that are the result of a user doing something silly (like sharing their password publicly)
- Attacks affecting browsers not explicitly supported by Cofense
- Issues related to e-mail coming from @Cofense.com addresses (e.g. things related to DMARC and SPF)
- Domain Name System Security Extensions (DNSSEC) configuration suggestions
- HTTP/HTTPS/SSL/TLS security header configuration suggestions
Recognition
Researchers that responsibly disclose in accordance with this Responsible Disclosure Policy are eligible for inclusion in our Security Researcher Hall of Fame. Whether or not a security vulnerability report is in compliance with this Responsible Disclosure Policy and a Researcher is eligible for inclusion in our Hall of Fame is in our sole discretion. Cofense does not compensate researchers for identifying potential or confirmed security vulnerabilities. Any requests for monetary compensation or any other type of consideration will be deemed in violation of this Responsible Disclosure Policy.
PGP Key
If you feel the email should be encrypted, our PGP key is available below.
—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v2
mQENBFszjSYBCACl1PKqvuctgFz93F8eLfh9E2IFvMmLfaujT22lfFZtetI7Ky2q
4avYrgyuQeU/Jg2FTidM+XIrxYfBIqAwHBmYFBveEGhThYdRbRBwOp3+9IFF36/p
yeO7xLOw4/KBBwAty8u6uVwIw0vs7wftDpdhbcILpQF3/V28XLIr1oGQ90ztvRRI
Y9kQFkmUTPkTqBXjCVkQE+Xco/t9vtjWl/lDx1St0xNDkg82FPGSK6uUixDYXtEP
9BzaVUH84KejmgTctA2dzgx3doSq9eFWUiI3/otPizv/TErx92FdwVlt7xRYwqt1
PDrVZH4dcRA71QybeGHug3NTfcdi72zxuNn5ABEBAAG0QlNlY3VyaXR5IChDb2Zl
bnNlIHNlY3VyaXR5IGdyb3VwIGVtYWlsIGJveCkgPHNlY3VyaXR5QGNvZmVuc2Uu
Y29tPokBVQQTAQgAPwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTuaWos
PdvmNhybE5D7pL9CX7lQKAUCYGzZxwUJCPuzoQAKCRD7pL9CX7lQKPJYCACIYRkr
L/qJLtrI9JfVLcAwSxmZ8JHNYooisPIS8ph4A+0hi8lj+sigQu8IsEbOFNRNeElU
QL4GRmnTAnVHYoETaarCkhCGcsslFqmsWVn+m0VImZYezP+XCFFe42yQmXp5Bsh3
mzb5WXg9WKP9DB28yPIat5noRnknunK3BzcGgj4WFeFUK+36pFJWu77BrHUxeeTV
1OfNTEIYJyj7++Oj5RUa5ZeiGQ2Hwt2fuNOOgdNcAXqRAEmpVHP6fEpz+iAS9tkK
89F0lKb76ZgfP4FRyrgpA829AWAzPLZivKo6SZuQ/fZ4A+5AG04Ge0XNvBRsVrGe
/HATDJ4f5imVXVO0uQENBFszjSYBCACbrrqUsAqDCmZk86cNxfa/bmw4w09Gi7Tk
s+WT9JWqUlpYi2gKEI1rGIDBPQWynrtZANfmo21Ttx2EJ6zHjrVYGJZRw9wLjrB6
Vu/RgVe368tQTV6DfAg7TAsg9eFVWfdQT3D/Iuw0XGuxmkOnbLVrfHjwOpt9OfW/
YEgxCMp5v7QIMcJswcfrIK6IDcUDKIUDGi+Xbvpm12QDxjggJQp/JOmEXSlAN0WQ
19WYtwCBL5i007yQxofWYW9keuf+nQgi1ZI+CYj8T6bjmvV50EHNow1NoUsEkA3G
1oPArTeno44SfPeJ8gFFhIk0KKeONJwNpAUaNMaHy1sfeNZmAPezABEBAAGJATwE
GAEIACYCGwwWIQTuaWosPdvmNhybE5D7pL9CX7lQKAUCYGzZ6wUJCPuzxQAKCRD7
pL9CX7lQKGV6B/4/oA3udPzjpqQxwayBgRuikVnSsQl0inD2GNl4WK4DHMwY44im
BZJD3y//zGxnBsl3L9F2BS8MNWZ1f52scY9nPW5Ce8xRrI5M3+NQNoClOlJ9JMiU
625F5WColZsn4xlb7PpTl3vx5lK1FezMijp5i6FxIu3xF2hh2NrkzWUx98Lq/2uA
ufJF/CpJ3IyzkJmEd3YGld6wO3M0DE0n/++KvOfGBit+7AxA1y2M7KJhIlhbMgSj
eDariC+lFAy3f6vD9bwSzqOp1Nh2c6gb26qzT5ZmfS3PV61uMmZ/7dYWxlPF2IFY
RfPomkpyi67yeeWGxWbGxOL8ng8IghuGWUaS
=/5C3
—–END PGP PUBLIC KEY BLOCK—–Security Researcher Hall of Fame
Keanu Lee Chip Sao
Accenture Security Prague
#BountyHunter