Responsible Disclosure
Reporting
We take security very seriously. If you find a security vulnerability, we ask you to responsibly disclose the details to us.
- Reach out to security@ehsinsight.com or use our vulnerability report page, if you have found any potential vulnerability in our products meeting all the below mentioned criteria. You can expect a confirmation from our security team in about 48 working hours of submission.
- Please refrain from doing security testing in existing customers' production accounts.
- When conducting security testing, make sure not to violate our privacy policies, modify/delete user data, disrupt production servers, or to degrade user experience.
- You’re allowed to disclose the discovered vulnerabilities only to security@ehsinsight.com or by using our vulnerability report page. Documenting any potential In/Out of scope vulnerability to the public is against our responsible disclosure policy.
- If your finding is valid and unique, you may be eligible for a reward.
Out of Scope Vulnerabilities
- Clickjacking / UI Redressing attack
- Self-XSS and XSS that affects only outdated browsers
- Using components of known vulnerability without relevant POC of attack
- Host header and banner grabbing issues
- Denial of Service attacks and Distributed Denial of Service attacks
- Automated tool scan reports.Example: Web, SSL/TLS scan,Nmap scan results etc.,
- Missing HTTP security headers and cookie flags on insensitive cookies
- Rate limiting, brute force attack
- Login/logout/low-business impact CSRF
- Unrestricted file upload
- Open redirects - unless they can be used for actively stealing tokens
- Formula/CSV Injection
- Vulnerabilities that requires physical access to the victim machine.
- User enumeration such as User email, User ID etc.,
- Phishing / Spam (including issues related to SPF/DKIM/DMARC)
- Missing security best practices
- Vulnerabilities found in third party services
- Session fixation and session timeout