Responsible Disclosure

Reporting

We take security very seriously. If you find a security vulnerability, we ask you to responsibly disclose the details to us.

• Reach out to security@ehsinsight.com or use our vulnerability report page, if you have found any potential vulnerability in our products meeting all the below mentioned criteria. You can expect a confirmation from our security team in about 48 working hours of submission.
• Please refrain from doing security testing in existing customers' production accounts.
• When conducting security testing, make sure not to violate our privacy policies, modify/delete user data, disrupt production servers, or to degrade user experience.
• You’re allowed to disclose the discovered vulnerabilities only to security@ehsinsight.com or by using our vulnerability report page. Documenting any potential In/Out of scope vulnerability to the public is against our responsible disclosure policy.
• If your finding is valid and unique, you may be eligible for a reward.

Out of Scope Vulnerabilities

• Clickjacking / UI Redressing attack
• Self-XSS and XSS that affects only outdated browsers
• Using components of known vulnerability without relevant POC of attack
• Host header and banner grabbing issues
• Denial of Service attacks and Distributed Denial of Service attacks
• Automated tool scan reports.Example: Web, SSL/TLS scan,Nmap scan results etc.,
• Missing HTTP security headers and cookie flags on insensitive cookies
• Rate limiting, brute force attack
• Login/logout/low-business impact CSRF
• Unrestricted file upload
• Open redirects - unless they can be used for actively stealing tokens
• Formula/CSV Injection
• Vulnerabilities that requires physical access to the victim machine.
• User enumeration such as User email, User ID etc.,
• Phishing / Spam (including issues related to SPF/DKIM/DMARC)
• Missing security best practices
• Vulnerabilities found in third party services
• Session fixation and session timeout