Vulnerability Disclosure Program

Rules of engagement

Reporters submitting a Vulnerability to SecOrigin agree to be bound by the terms of the Vulnerability Disclosure Policy (“Terms“)
We explicitly specify what is in scope and out of scope when discovering vulnerabilities and clearly mention the same in the sections below.
Reporters should make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
Reporters should only use/exploit to the extent necessary to confirm a vulnerability.
Reporters should not use or exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use/exploit to “pivot” to other systems.
Once a reporter establishes that a vulnerability exists, or encounters any sensitive data, the reporter should stop any further testing and notify us immediately.
Reporters shall keep any information about discovered vulnerabilities confidential after submitting the vulnerability report.
We discourage violation of any applicable laws and breach of any agreements in order to discover vulnerabilities.
SecOrigin reserves the right to pursue legal action when the terms of this policy is violated or when testing is performed outside the scope of this policy.
SecOrigin may include an NDA and also make updates to this policy from time to time.
The decision made by our security team regarding validity, severity & impact of a vulnerability will be considered final and cannot be contested.
We may share your vulnerability reports with any affected partners, vendors or open source projects.

What we Promise from you :

Within 5 business days of receiving your report, SecOrigin will react with an analysis of the issue and an anticipated response timeline.
If you complied with the guidelines above, SecOrigin won’t pursue legal action against you in relation to the report.
Except in cases where it’s required by law, SecOrigin won’t divulge your personal information to anyone without your express consent. It is possible to submit an anonymous or pseudonymous report.
You will be updated on the vulnerability’s progress by SecOrigin.
In the event that SecOrigin chooses to disclose the details of the reported vulnerability, we will credit you as the discovery of the vulnerability, if you so want.
Don’t access the system more than once or give others access.

Rewards:

SecOrigin Technologies does not have a bounty/cash reward program for vulnerability disclosures, but we express our gratitude for your contribution in different ways. For genuine ethical disclosures, we will gladly acknowledge your contribution publicly in this section of our website. Of course, this will only be done if you want a public acknowledgement.

Reporting an issue

Vulnerabilities discovered on our systems while testing within the scope of this policy can be reported by emailing it to security@secorigintechnologies.com Please ensure that the following information is available when submitting a vulnerability report.

Description of the location and potential impact of the vulnerability. Please include any CVEs when available.
A detailed description of the steps required to reproduce the vulnerability. Proof of concept (POC) scripts, screenshots, and screen captures are all helpful. Please use extreme care to properly label and protect any exploit code.
Any technical information and related materials we would need to reproduce the issue.
If possible please include the contact details (email, mobile number) to let our Security team reach out to you for any clarifications.

Eligibility for Hall of Fame

Must be the first person to responsibly disclose the vulnerability
Vulnerability discovered must be found when testing within the scope of this policy
Reported vulnerability significantly impacts security and integrity of SecOrigin or impacts the privacy of customer or partner data.
Vulnerabilities are rated Critical, High, Medium and low, Only vulnerabilities rated Critical and High are eligible for the Hall of Fame.