Vulnerability Disclosure Policy
At Accesa we strive to create secure and reliable software. This policy outlines considerations and commitments for the disclosure of potential security vulnerabilities to Accesa security personnel in a responsible manner.
Acknowledging the valuable contributions of security researchers, we promote responsible and transparent disclosure of potential security vulnerabilities. We welcome vulnerability reports from any source.
Accesa will investigate legitimate reports and make every effort to quickly resolve any vulnerability being found.
Please make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of Accesa’ services.
Accesa will not pursue civil action or initiate a complaint to law enforcement against you if you:
Engage in testing of our products, service, and IT infrastructure, without causing harm, compromising safety or privacy, or otherwise affect us or our customers, suppliers, partners, or any other person or legal entity.
Adhere to the applicable laws and regulations and refrain from committing criminal offences by performing a test; refrain from infringing any intellectual property rights.
Avoid impact to the safety, confidentiality of commercially sensitive information, or privacy of any person or legal entity.
Do not cause damage to the information, or IT infrastructure being tested.
Restrict the scope of testing to bare minimum necessary to demonstrate the vulnerability.
Keep confidential any technical details about the exploitation of the vulnerability.
Do not require a financial transaction as a precondition to the disclosure of potential vulnerability.
Accesa considers activities conducted consistent with this policy to constitute “authorised” conduct.
Accesa will not take legal action against you simply for providing a proof of concept of the security vulnerability. Please follow the guidelines listed in the Proof of concepts section below to ensure that your proof of concept is detailed enough to demonstrate the issue and still follows the guidelines of this disclosure policy.
If you have any questions or concerns about the disclosure policy, please do not hesitate to contact us using email (security [a t] accesa [d o t] eu).
The following company assets are in scope of this Vulnerability Disclosure policy:
If any other assets are discovered and are not listed here, please get in touch with us before proceeding further.
Excluded from vulnerability disclosures
The following assets are completely out of scope and will not be validated if a report is made:
Findings from physical testing such as office access (e.g. open doors, tailgating).
Findings derived primarily from social engineering (e.g. phishing, vishing).
Findings from applications or systems not listed in the "Scope" section. Accesa may accept high-severity issues on out of scope assets if they affect the company directly.
Vulnerability reports with video only PoCs.
Reports that state that software is out of date or vulnerable without a proof of concept or proper/complete validation steps.
Highly speculative reports about theoretical damage.
Vulnerabilities as reported by automated tools without additional analysis as to how they are an issue.
Issues in third-party services should be reported to the respective team.
The following categories of vulnerabilities are out-of-scope:
Network-level Denial of Service (DoS/DDoS) vulnerabilities.
Low severity issues that can be detected with tools such as Hardenize and Security Headers.
Content injection issues.
Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.).
Missing cookie flags.
UI and UX bugs (including spelling mistakes).
Stack traces that do not disclose information.
Host header issues without an accompanying proof-of-concept demonstrating vulnerability.
Open ports without an accompanying proof-of-concept demonstrating vulnerability.
Banner grabbing issues (figuring out what web server is in use, etc.).
Missing X-Frame-Options header (Clickjacking)
Disclosure of robots.txt file
Email spoofing (SPF misconfigurations)