eTermin recognizes the need to approach the cybersecurity community to protect customer data and work together to create more secure solutions and applications, and this Responsible Disclosure Program adds an extra layer to our IT security testing, where individuals, developers and experts (a.k.a. ”Researchers”) can find and report security related bugs in eTermin software - before someone else does.
Researchers are welcome to voluntarily report all vulnerabilities they can find connected to the eTermin solutions. The submission is subject to the terms and conditions set forth on this page (“Policy Terms”), and by submitting a vulnerability report to eTermin the Finder acknowledges that it has read and agreed to these terms.
It's time for bugs to bug off :)
Terms and Conditions
To comply with the terms in this Responsible Disclosure Policy:
- Do not execute or attempt to execute any “Denial of Service” attack.
- Do not post, transmit, upload, link to, send or store any malicious software.
- Do not test what would result in sending unsolicited or unauthorized junk mail, spam or other forms of unsolicited messages.
- Do not run automated scans without checking with eTermin first.
- Do not test in a manner that would corrupt the operation of eTermin solutions.
- Do not test equipment or the physical security in eTermin stores.
- Do not use social engineering techniques.
- Do not test third-party applications, websites or services that integrate with or link to eTermin properties.
- Do not publicly disclose any vulnerability before 30-day after the vulnerability is resolved by eTermin and not without eTermin's prior written consent. And do not include any sensitive data in the disclosed vulnerability.
- Remove all data and sensitive information you got from the analysis once the report is submitted.
Response Times
eTermin will make a best effort to meet the following response targets for researchers participating in our program:
- Time to first response (from report submit) - 2 business days
- Time to triage (from report submit) - 2 business days
We’ll try to keep you informed about our progress throughout the process.
Vulnerabilities accepted
Accepted, in-scope vulnerabilities include, but are not limited to:
- Injection vulnerabilities
- Broken Authentication and Session Management
- Cross Site Scripting (XSS)
- Remote Code Execution
- Insecure Direct Object Reference
- Sensitive Data Exposure
- Security Misconfiguration
- Missing Function Level Access Control
- Using Components with Known Vulnerabilities
- Unvalidated Redirects and Forwards
- Directory/Path transversal
- Exposed credentials
Out of scope vulnerabilities
Certain vulnerabilities are considered out-of-scope for the Responsible Disclosure Program. Those out-of-scope vulnerabilities include, but are not limited to:
- Social Engineering attacks
- Account enumeration using brute-force attacks
- Weak password policies and password complexity requirements
- Missing http security headers which do not lead to a vulnerability
- Reports from automated tools or scans
- Presence of autocomplete attribute on web forms
- Missing cookie flags on non-sensitive cookies
- Reports of SSL/TLS issues, best practices or insecure ciphers
- Self-exploitation attacks
- Test versions of applications
- Mail configuration issues including SPF, DKIM, DMARC settings
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or bruteforce issues on non-authentication endpoints
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Vulnerabilities only affecting users of outdated or unpatched browsers
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Tabnabbing
- Open redirect - unless an additional security impact can be demonstrated
- Issues that require unlikely user interaction
- Solutions affected by known CVEs published less than 30 days ago
In scope
eTermin.net and any other eTermin branded domain/service
Awarding process
An internal monthly committee will be accountable to analyze and decide about rewarding. Only CRITICAL and HIGH vulnerabilities that have been resolved might receive an award and it is a solely decission by eTermin.
Legal
By submitting a report to eTermin, you acknowledge that you have read and agreed to these terms. You also warrant and represent to eTermin that you are the sole creator of the submission and you hereby grant eTermin the permission to use, reproduce, copy, modify and otherwise dispose of your submission in a manner as eTermin sees fit.
You acknowledge and agree that you shall not use you relationship with eTermin for any marketing or financing purpose or as reference in any personal or professional presentation, documentation or other material, or in any way utilize (neither on the Internet nor in any other way communicate to the public) any trade name, business name, logotype or trade mark of eTermin.
Thank you for helping keep eTermin and our users safe!