Introduction
Here, we outline the standardized process for submitting Vulnerability Assessment and Penetration Testing (VAPT) reports related to our products.
Reporting Vulnerability
If you identify a vulnerability in our products, please submit a detailed report via our Support Portal.
Steps to submit a VAPT report:
1. Identify the Vulnerability – Conduct a thorough analysis to pinpoint the specific issue. If using automated tools, remove false positives and prioritize the vulnerabilities.
2. Gather Ncessary Information like:
- Product name and version
- Specifics of the vulnerability
- Other relevant contextual information.
Minimum Required Details for Analysis :
1. Environment Information:
- Accops’ product’s version
- Details of patches applied on the gateway
2. Description of the vulnerability or security issue.
3. Affected module, system, or feature.
4. Reproduction Steps:
- Clear, step-by-step instructions to reproduce the issue.
- Test data or payloads used.
5. Impact Assessment:
- Data at risk (e.g., user information, credentials).
- Systems or users potentially affected.
- Severity assessment and exploitability details.
- Access level required for exploitation.
- Exploitability over the network, physical access, or application component.
- Conditions necessary to trigger vulnerability.
- Availability of Proof of Concept (PoC) exploits.
- Actions an attacker can perform post-exploitation.
- Detectability of exploitation.
Submission Format:
Reports should be submitted using the following Sample VAPT Report Sheet.
Note: A detailed Proof of Concept (PoC) with clear exploitation steps significantly helps us evaluate the issue and provide an effective resolution.
Ensuring Product Updates:
Customers are encouraged to use the latest version of our products to avoid known issues. Check the latest updates here. .
The following issues are considered out of scope:
- Self-exploitation scenarios (e.g., self-XSS, cookie reuse, self-DOS).
Attacks requiring MITM or physical access.
Clickjacking on non-sensitive pages unless a PoC demonstrates a meaningful exploit.
CSRF vulnerabilities in non-critical actions.
Blind SSRF without a working PoC.
Lack of security headers without direct impact.
Version number-based vulnerability claims without PoC.
Invalid/missing SPF/DKIM records with no demonstrated risk.
Disclosure of static resources or public information.
Security weaknesses without practical impact.
Submission Channels
Via Support Ticket: Submit a request on support.accops.com with all relevant details.
Via Email: Send your report to [email protected].
Service Level Agreements (SLA) for Reported Vulnerabilities
| Priority* | SLA for Accops Products | SLA for Open Source or 3rd Party modules |
Critical | Mitigation or Permanent fix within 15 days | 15 days post validated fix available |
High | Mitigation or Permanent fix within 30 days | 30 days post validated fix available |
Medium | Mitigation or Permanent fix within 60 days | 60 days post validated fix available |
Low | Mitigation or Permanent fix within 180 days | 180 days post validated fix available |
*Priority is determined based on the severity, exploitability and impact of the vulnerability on Accops products.
Best regards,
Accops Systems Private Limited