Introduction 

This document outlines the standardized process for submitting Vulnerability Assessment and Penetration Testing (VAPT) reports related to all our products.

Reporting a Vulnerability 

If you discover a vulnerability in any of our products, please submit a detailed report through our Support Portal. Your submission will help us strengthen the security of our products. 

Steps to submit a VAPT report

  1. Vulnerability identification: Conduct a thorough analysis to pinpoint the specific issue. If using automated tools, remove false positives and prioritize the vulnerabilities.
  2. Gather Necessary Information like:
    • Product name and version
    • Product name and version
    • Any additional context or relevant informatio

Minimum Required Details for Analysis:

  1. Environment Information:
    • Exact versions of the Accops product.
    • Details of patches applied to the gateway
  2. Description of the vulnerability or security issue:
    • A clear description of the security issue or vulnerability.
  3. Affected module, system, or feature:
    • Specify the impacted module, system, or feature.  
  4. Reproduction Steps:
    • Provide step-by-step instructions to reproduce the issue. 
    • Include test data or payloads used 
  5. Impact Assessment:
    • What data is at risk (e.g., user information, credentials) ? 
    • Which systems or users might be affected? 
    • Severity and exploitability of the issue.
    • Access level needed for exploitation. 
    • Exploitability across network, physical access, or application components.
    • Conditions required to trigger a vulnerability. 
    • Availability of Proof of Concept (PoC) exploits. 
    • Actions an attacker could perform after exploiting a vulnerability.  
    • Detectability of exploitation.


Submission Format

Please submit reports using the Sample VAPT Report Sheet format. This ensures that all essential information is captured, making it easier for us to understand and address the vulnerability. 


Note:  Including a Proof of Concept (PoC) with clear exploitation steps aids in evaluating the issue and enables us to resolve it in a timely manner. 


For vulnerabilities related to underlying OS packages, please refer to the document below to validate and rule out false positives: 

STEPS TO VALIDATE VULNERABILITIES.pdf


Ensuring Product Updates:

We recommend that customers always use the latest version of our products to mitigate known issues/vulnerabilities. Check for the latest updates here.


Exclusions/Out of Scope:

We kindly request that any scanner-generated reports be reviewed and validated before submission. Prioritized and validated findings help us address issues more efficiently and reduce delays caused by false positives.


The following are considered out of scope for VAPT submissions:  

  • Self-exploitation scenarios (e.g., self-XSS, cookie reuse, self-DOS).
  • Attacks requiring MITM or physical access.
  • Clickjacking on non-sensitive pages unless a PoC demonstrates a meaningful exploit. 
  • CSRF vulnerabilities in non-critical actions. 
  • Blind SSRF without a working PoC. 
  • Lack of security headers without direct impact.
  • Version number-based vulnerability claims without PoC. 
  • Invalid/missing SPF/DKIM records with no demonstrated risk. 
  • Disclosure of static resources or public information. 
  • Security weaknesses without practical impact. 


Submission Channels

Via Support Ticket: Submit a request on support.accops.com with all relevant details. 

Via Email: Send your report to support@accops.com.

Service Level Agreements (SLA) for Reported Vulnerabilities

Priority*
SLA  for Accops Products
SLA for Open Source or 3rd Party modules
Critical 
Mitigation or Permanent fix within 15 days
15 days post validated fix available
High 
Mitigation or Permanent fix within 30 days
30 days post validated fix available 
Medium 
Mitigation or Permanent fix within 60 days
60 days post validated fix available
Low 
Mitigation or Permanent fix within 180 days
180 days post validated fix available


*Priority is determined based on the severity, exploitability and impact of the vulnerability on Accops products. 



Best regards,

Accops Systems Private Limited