Introduction

We take the security of our customers’ data very seriously. If you believe you’ve discovered a potential security vulnerability within the SECLINQ website or one of our services, we strongly encourage you to disclose it to us as quickly as possible to our responsible disclosure contact and in a responsible manner.

We appreciate the assistance and patience of security researchers and are committed to reviewing all reports that are disclosed to us. We will do our best to address each issue promptly, and request that you provide us with a reasonable time-frame to address the issue.

Please do not publicly disclose the details of any potential security vulnerabilities without express written consent from us.

To encourage responsible disclosure, we will not take legal action against security researchers in relation to the discovery and reporting of a potential security vulnerability. This is provided that all such potential security vulnerabilities are discovered and reported strictly in accordance with this Responsible Disclosure Program. In the event of any non-compliance, we reserve all of our legal rights.

If in doubt, please contact SECLINQ Team by sending an email to security@seclinq.com.

Responsible Disclosure Program

 

We encourage you to conduct responsible security research on our website (seclinq.com). We allow you to conduct vulnerability research and testing only on our website to which you have authorized access.

The following types of research are strictly prohibited:

  • Accessing or attempting to access accounts or data that does not belong to you
  • Any attempt to modify or destroy any data
  • Executing or attempting to execute a denial of service (DoS) attack
  • Sending or attempting to send any unsolicited or unauthorized email, spam, or any other form of unsolicited messages
  • Conducting social engineering (including phishing) of SecLinQ employees, contractors or customers or any other party
  • Any physical attempts against our property
  • Posting, transmitting, uploading, linking to, sending, or storing malware, viruses, or similar harmful software that could impact our services, customers, or any other party
  • Testing third-party websites, applications, or services that integrate with our services or products
  • The use of automated vulnerability scanners such as (Acunetix, Appscan, Rapid7 AppSpider, Burp Suite Pro active scanner, Nessus, Netsparker, OpenVAS, etc.)
  • Exfiltrating any data under any circumstances
  • Using more than one concurrent connection or thread during testing
  • Any activity that violates any law

The following finding types are excluded from this Responsible Disclosure Program:

  • Reports from automated vulnerability scanners
  • Descriptive error messages such as stack traces, application or server errors
  • HTTP 404 codes or pages, or other HTTP non-200 codes or pages
  • Fingerprinting or banner disclosure on common and public services
  • Disclosure of known public files or directories, such as robots.txt
  • Clickjacking and other issues only exploitable through clickjacking
  • CSRF on forms that are available to anonymous users, such as contact, login, and logout forms
  • CSRF with minimal security implications
  • Content spoofing or text injection
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  • Lack of Secure or HTTPOnly flags on non-sensitive cookies
  • Login or Forgot Password page brute force and account lockout not enforced
  • Enabled HTTP methods (such as OPTIONS, TRACE, DELETE, PUT, WEBDAV, etc.) without a valid attack scenario
  • Missing HTTP security headers, such as Strict Transport Security, X-Frame-Options, X-SSS-Protection, etc
  • Host header or CSV injection without a valid attack scenario
  • HTTP or DNS cache poisoning
  • Missing best practices in SSL/TLS configuration without a working proof of concept
  • Self-exploitation issues (such as self XSS, cookie reuse, self denial of service, etc.)
  • Issues related to brute forcing, rate limiting and other denial of service type attacks
  • Weak password policy implementation
  • Use of known-vulnerable libraries or frameworks (e.g. outdated JQuery) without a valid attack scenario
  • Issues that rely on outdated or unpatched browsers and platforms to be abused
  • Spam and e-mail misconfiguration with no direct impact to SECLINQ.

Other rules:

  • Respect the rules. This includes this policy and other rules that apply.
  • Report vulnerabilities promptly
  • Prevent privacy breaches, damage to systems or data or other matters that could harm the user experience.
  • Only use official channels to discuss potential vulnerabilities with us.
  • Handle confidential data or details arising from vulnerabilities according to our disclosure policy
  • Limit your testing to the matters covered by the policy. Testing items or systems that are explicitly outside the policy is not allowed.
  • If a vulnerability provides unintentional access to information, make sure that you keep the information you acquire to the bare minimum to demonstrate the existence of the vulnerability, and stop testing as soon as you access personal, health or credit card information. from third parties.
  • Only use your own test accounts or accounts of persons to whom you have obtained explicit permission.
  • Demanding a reward in exchange for information about vulnerabilities, or any other form of extortion, is prohibited.

How to Report a Potential Security Vulnerability

You can responsibly disclose potential security vulnerabilities to the SECLINQ security Team by emailing security@seclinq.com. Ensure that you include details of the potential security vulnerability and exploit with enough information to enable the Security Team to reproduce your steps.

When reporting a potential security vulnerability, please include as much information as possible, including:

  • An explanation of the potential security vulnerability;
  • The URLs or services that may be affected (where possible);
  • Steps to reproduce the vulnerability;
  • Proof-of-concept code (where applicable);
  • The names of any test accounts you have created (where applicable); and
  • Your contact information.

What happens next?

Once you have reported potential security vulnerability, we will contact you within 72 hours with an initial response. Going forward, we will keep you informed on our progress towards addressing the potential security vulnerability and will also notify you when the matter has been addressed.

Subject to any regulatory and legal requirements, all reports will be kept strictly confidential, including the details of the potential security vulnerability as well as the identity of all researchers involved in reporting it. If a report is found to be a duplicate or is otherwise already known to us, the report will not be eligible for public recognition.

We ask that you maintain confidentiality and do not make your research public until we have completed our investigation and, if necessary, have remediated or mitigated the potential security vulnerability.

Please note that we do not compensate individuals or organizations for identifying potential or confirmed security vulnerabilities. Any requests for monetary or other compensation will be deemed in violation of this Responsible Disclosure Program.