Centercode Responsible Disclosure Policy

Centercode is committed to ensuring the safety and security of our customers. We aim to foster an open partnership with the security community, and we recognize that the work the community does is important in continuing to ensure safety and security for all of our customers. We have developed this policy to both reflect our corporate values and to uphold our responsibility to good-faith security researchers that are providing us with their expertise

Scope

This policy applies to Centercode’s products, services, and systems production environments. Vulnerabilities found in vendor systems fall outside of this policy’s scope and should be reported directly to the vendor via their own disclosure programs. If you aren’t sure if a system is in scope or need help reporting a finding to a vendor, contact us at security@centercode.com.

Responsible Disclosure

We encourage responsible disclosure of vulnerabilities. This means that we ask that you:

  • Engage in testing of systems/engaging in research, in each case without harming Centercode or its customers.
  • Engage in vulnerability testing within the scope of our vulnerability disclosure program.
  • Test on Centercode products without affecting customers.
  • Receive express and written permission/consent from our customers before engaging in vulnerability testing against their instance of the Centercode Platform, etc.
  • Adhere to the laws of your location and the laws of the location of Centercode and its systems.
  • Do not disclose vulnerability details to the public until mutual agreement.

Out of Scope Vulnerabilities

We encourage all vulnerabilities to be reported on our production environments, however we do have some out of scope vulnerabilities:

  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working proof of concept.
  • Clickjacking on pages with no sensitive actions.
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Rate limiting or bruteforce issues on non-authentication endpoints.
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or secure flags on cookies.
  • Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
  • Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind the latest released stable version).
  • Software version disclosure / banner identification issues / descriptive error messages or headers (e.g., stack traces, application or server errors).
  • Public zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
  • Tabnabbing.
  • Open redirect — unless an additional security impact can be demonstrated.

Disclosure Process

To report a vulnerability, please send an email to security@centercode.com with the following information:

  • Well-written reports in English will have a higher probability of resolution.
  • Reports that include proof-of-concept code equip us to better triage.
  • Reports that include only crash dumps or other automated tool output may receive lower priority.
  • Reports that include products not on the initial scope list may receive lower priority.
  • Please include how you found the bug, the impact, and any potential remediation.
  • Please include any plans or intentions for public disclosure.

Coordinated Disclosure

  • A timely response to your email (within 2 business days).
  • After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
  • An open dialog to discuss issues.
  • Notification when the vulnerability analysis has completed each stage of our review.
  • If we are unable to resolve communication issues or other problems, Centercode may bring in a neutral third party to assist in determining how best to handle the vulnerability.

Non-Disclosure

We ask that you not disclose the vulnerability publicly until we have had reasonable time to address it.

Exceptions

We will not take legal action against you if you comply with this policy and make a good faith effort to avoid harm. However, we will not hesitate to take legal action against those who intentionally exploit a vulnerability or engage in unauthorized access to our systems.

QUESTIONS? SECURITY@CENTERCODE.COM

The best brands in the world partner with Centercode to perfect their products