Introduction
Accops, which provides a workspace virtualization, access gateway and identity management solution to companies, we consider the security of our software a top priority. We encourage you to contact us to report potential vulnerabilities in our product so we can take steps to address it as quickly as possible and better protecting our clients and our systems.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible.
Guidelines:
- Notify us as soon as possible after you discover a real or potential security issue.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
- Provide us a reasonable amount of time to resolve the issue.
- Don’t publicly disclose a vulnerability without our consent and review.
- Once you have established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
Out Of Scope
The following test methods are not authorized:
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
- Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing
- Systems or issues that relate to Third-Party technology used by Accops
- Any attack or vulnerability that hinges on a user’s endpoint first being compromised.
- Posting, transmitting, uploading, linking to, sending, or storing any malicious software,
- Any kind of rate limit, service limit, timing abuse or DoS, DDoS attacks unless the attack expose an abuse of functionality, data exfiltration or other similar abuse beyond service unavailability.
- Spamming forms through automated vulnerability are explicitly out of scope (including issues related to SPF/DKIM/DMARC)
- Attempting to compromise our endpoints by brute force scanning is out of scope.
- "Scanner output" or scanner-generated reports
- Self-XSS
- CSRF for non-significant actions (logout, forms with no sensitive actions, etc.)
- Clickjacking attacks without a documented series of clicks that produce a vulnerability
- Content injection, such as reflected text or HTML tags
- Missing HTTP headers, except as where their absence fails to mitigate an existing attack
- Vulnerabilities that require access to passwords, tokens, or the local system (e.g. session fixation)
- Assumed vulnerabilities based upon version numbers only
- Vulnerabilities discovered shortly after their public release
Scope
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing.
If you are not sure whether a system is in scope or not, contact us at [email protected] before starting your security testing.
Reporting a vulnerability
If you believe you’ve found a security vulnerability on or within an Accops product (listed in the “Scope” section), we ask that you inform us as quickly as possible by emailing [email protected]. We will work to review reports and respond in a timely manner.
Do provide sufficient information to reproduce the vulnerability, so we will be able to resolve it as quickly as possible.
What we promise
We will respond to your report within 3 business days with our evaluation of your report.
In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise), and as a token of our gratitude for your assistance, we offer a reward for every report of a security problem that was not yet known to us. The amount of the reward will be determined based on the severity of the leak and the quality of the report.
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized and we will work with you to understand and resolve the issue quickly, and Accops will not recommend or pursue legal action related to your research.
Best regards,
Accops Systems Private Limited