Simpplr Responsible Disclosure
Simpplr aims to keep its Services safe for everyone, and data security is of utmost priority. No technology is perfect, and Simpplr believes that working with skilled security researchers across the globe is very important in identifying weaknesses in any technology. If you believe you’ve found a security issue in our product or service, we appreciate your help in disclosing it to us in a responsible manner. We welcome working with you to resolve the issue promptly.
Simpplr will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. We won’t take legal action against, suspend, or terminate access to the Service of those who discover and report security vulnerabilities responsibly. Simpplr reserves all of its legal rights in the event of any noncompliance.
Share the details of any suspected vulnerabilities with the Simpplr Security Team by filing a report. Please do not publicly disclose these details outside of this process without explicit permission. In reporting any suspected vulnerabilities, please include the following information:
- Vulnerable URL – the endpoint where the vulnerability occurs;
- Vulnerable Parameter – if applicable, the parameter where the vulnerability occurs;
- Vulnerability Type – the type of the vulnerability;
- Steps to Reproduce – step-by-step information on how to reproduce the issue;
- Screenshots or Video – a demonstration of the attack; and
- Attack Scenario – an example attack scenario may help demonstrate the risk and get your issue resolved faster.
Reports that carry an acceptable risk but demonstrate a valid security-related behavior will be closed as informative. Submissions that don’t present a security risk, are false positives, or are out of scope will be closed as N/A.
Identical reports will be marked as “Duplicate[s]” of the original submission; the original report can be marked as (but not limited) to “Triaged”, “N/A”, or “Informative.”
While we currently do not have a formal vulnerability reporting system in place at this time, please reach out to firstname.lastname@example.org to report any critical issues you may discover. Thank you for helping keep Simpplr and our users safe!
- Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- Submissions may be closed if a researcher is non-responsive to requests for information after 14 days.
In no event are you permitted to access, download or modify data residing in any other Account, or one that is not registered to you. While researching, we’d like to ask you to refrain from:
- Executing or attempting to execute any Denial of Service attack.
- Actions which affect the integrity or availability of program targets are prohibited and strictly enforced. If you notice performance degradation on the target systems, you must immediately suspend all use of automated tools.
- Social engineering (including phishing) of Simpplr staff or contractors
- Any physical attempts against Simpplr property or data centers
- Knowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.
- Testing in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid schemes or other forms of duplicative or unsolicited messages.
- Testing or otherwise accessing or using the Service from any jurisdiction that is a Prohibited Jurisdiction.
- Testing third party applications or websites or services that integrate with or link to the Service.
Excluded Submission Types
Some submission types are excluded because they are dangerous to assess, or because they have low security impact to the program owner. This section contains issues that Simpplr does not accept. We strongly suggest you do not report these issues unless you can demonstrate a chained attack with higher impact.
- Findings from physical testing such as office access (e.g. open doors, tailgating).
- Findings derived primarily from social engineering (e.g. phishing, vishing).
- Findings from applications or systems not listed in the ‘Targets’ section.
- Functional, UI and UX bugs and spelling mistakes.
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Cookie flags.
- Lack of Security Speedbump when leaving the site.
- Weak Captcha / Captcha Bypass
- Username enumeration via Login Page error message
- Username enumeration via Forgot Password error message
- Login or Forgot Password page brute force and account lockout not enforced.
- OPTIONS / TRACE HTTP method enabled
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL Insecure cipher suites
- The Anti-MIME-Sniffing header X-Content-Type-Options
- Missing HTTP security headers, specifically (http://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/)
- Brute-force, / Rate-limiting, / Velocity throttling, and other denial of service based issues.
- Covert Redirects.
- Login/Logout CSRF
- Malicious attachments on file uploads or attachments.
- Missing additional security controls, such as HSTS or CSP headers
- Mobile issues that require a Rooted or Jailbroken device.
- Password recovery policies, such as reset link expiration or password complexity
- SPF, DKIM, DMARC issues.
- XSS (or a behavior) where you can only attack yourself
- XSS on pages where admins are intentionally given full HTML editing capabilities, such as custom tiles.
We ask that you do not share or publicize an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report, the Simpplr security team and associated development organizations will use reasonable efforts to:
- Acknowledge receipt of your vulnerability report in a timely manner
- Provide an estimated time frame for addressing the vulnerability report
- Notify you when the vulnerability is fixed
- We are happy to thank you for your responsible disclosure and helping us keep our customers safe.