Report a Potential Security Issue

Introduction

ThreatQuotient is committed to the privacy and security of our users and staff as core values. We believe responsible disclosure of security vulnerabilities reported by independent researchers can be an integral part of this commitment with the appropriate trust, transparency and respect.

Policy Details

Guidelines

We require that all researchers:

• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems and destruction of data during security testing;
• Perform research only within the scope set out below;
• Use the identified communication channels to report vulnerability information to us; and
• Treat information regarding any vulnerabilities you have discovered confidential between yourself and ThreatQuotient.

If you follow these guidelines when reporting an issue to us, we commit to:

• Not pursue or support any legal action related to your specific research related to the disclosed vulnerabilities;
• Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission);
• Recognize your contributions on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.

In Scope Targets

*.threatq.com
ThreatQ Platform
ThreatQ Applications

In Scope Vulnerabilities

• SQL Injection
• Cross-site Scripting (XSS)
• Significant Authentication Bypass
• Access Control Issues (Insecure Direct Object Reference issues, etc)
• Cross-site Request Forgery in Critical Action
• Information disclosure of Sensitive Information
• Server-Side Request Forgery (SSRF)
• Server-side Remote Code Execution (RCE)
• XML External Entity Attacks (XXE)
• Exposed Administrative Panels that don’t require login credentials
• Directory Traversal Issues
• Local File Disclosure (LFD)
• Server Side Template Injection (SSTI)

Out of Scope Vulnerabilities

In the interest of safety and legality for all relevant parties, the following test types are excluded from scope:

• Vulnerabilities identified with automated tools (including web scanners) that do not include proof-of-concept code or a demonstrated exploit
• Findings from physical testing such as office access (e.g. open doors, tailgating)
• Findings derived primarily from social engineering (e.g. phishing, vishing)
• Findings from applications or systems not listed in the ‘Scope’ section
• Network level Denial of Service (DoS/DDoS) vulnerabilities
• Third-party applications, websites, or services that integrate with or link to ThreatQuotient
• Content Injection issues
• Most Brute Forcing Issues
• Issues that require physical access to a victim’s computer

Things we do not want to receive:

• Personally identifiable information (PII)
• Credit card holder data
• Solicited malware samples