Introduction
This document outlines the standardized process for submitting Vulnerability Assessment and Penetration Testing (VAPT) reports related to all our products.
Reporting a Vulnerability
If you identify a vulnerability in our products, please submit a detailed report via our Support Portal. Your report will help us improve the security of our products.
Steps to submit a VAPT report:
1. Vulnerability identification: Conduct a thorough analysis to pinpoint the specific issue. If using automated tools, remove false positives and prioritize the vulnerabilities.
2. Gather Necessary Information like:
- Product name and version
- Specifics of the vulnerability
- Other relevant contextual information.
Minimum Required Details for Analysis:
1. Environment Information:
- Accops’ product’s version
- Details of patches applied on the gateway
2. Description of the vulnerability or security issue.
3. Affected module, system, or feature.
4. Reproduction Steps:
- Clear, step-by-step instructions to reproduce the issue.
- Test data or payloads used.
5. Impact Assessment:
- Data at risk (e.g., user information, credentials).
- Systems or users potentially affected.
- Severity assessment and exploitability details.
- Access level required for exploitation.
- Exploitability over the network, physical access, or application component.
- Conditions necessary to trigger vulnerability.
- Availability of Proof of Concept (PoC) exploits.
- Actions an attacker can perform post-exploitation.
- Detectability of exploitation.
Submission Format:
Reports should be submitted using the Sample VAPT Report Sheet format. This format is designed to ensure that all necessary information is included in the report, making it easier for us to understand and address the vulnerability.
Note: A detailed Proof of Concept (PoC) with clear exploitation steps significantly helps us evaluate the issue and provide an effective resolution.
Ensuring Product Updates:
Customers are encouraged to use the latest version of our products to avoid known issues. Check the latest updates here.
The following issues are considered out of scope:
- Self-exploitation scenarios (e.g., self-XSS, cookie reuse, self-DOS).
Attacks requiring MITM or physical access.
Clickjacking on non-sensitive pages unless a PoC demonstrates a meaningful exploit.
CSRF vulnerabilities in non-critical actions.
Blind SSRF without a working PoC.
Lack of security headers without direct impact.
Version number-based vulnerability claims without PoC.
Invalid/missing SPF/DKIM records with no demonstrated risk.
Disclosure of static resources or public information.
Security weaknesses without practical impact.
Submission Channels
Via Support Ticket: Submit a request on support.accops.com with all relevant details.
Via Email: Send your report to support@accops.com.
Service Level Agreements (SLA) for Reported Vulnerabilities
| Priority* | SLA for Accops Products | SLA for Open Source or 3rd Party modules |
Critical | Mitigation or Permanent fix within 15 days | 15 days post validated fix available |
High | Mitigation or Permanent fix within 30 days | 30 days post validated fix available |
Medium | Mitigation or Permanent fix within 60 days | 60 days post validated fix available |
Low | Mitigation or Permanent fix within 180 days | 180 days post validated fix available |
*Priority is determined based on the severity, exploitability and impact of the vulnerability on Accops products.
Best regards,
Accops Systems Private Limited