VisibleThread Responsible Disclosure Programme
Introduction
Protecting our customers, and employees from cyber threats is of paramount importance at VisibleThread. We are committed to ensuring the safety and security of our digital products and services. To help achieve this goal, we have established a Responsible Vulnerability Disclosure Program to provide clear guidance for anyone reporting potential security vulnerabilities to us.
We recognize the valuable contributions of security researchers in creating a safe and secure digital ecosystem. If you have identified a potential security vulnerability in our digital products or services, we encourage you to report it to us immediately by following the below guidelines.
Voluntary Submissions
Submission of vulnerability reports to our Responsible Vulnerability Disclosure Program are voluntary and no monetary rewards, bounties or other forms of transfer of value will be provided.
What You Can Expect
VisibleThread will make best efforts to meet the following response targets:
- Time to first response / acknowledgement : 10 days.
- Time to resolution: depends on complexity and impact.
We’ll try to keep you informed about our progress throughout the process.
Disclosure Policy
Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Program rules
- On a best-efforts basis, you should take steps to prevent violating applicable laws (including, without limitation, privacy or data protection laws), destroying data, interrupting or degrading production systems during your research.
- If you come across or gain access to potentially sensitive data, stop your testing and report the finding back to VisibleThread. We will take all reasonable steps to validate your report.
- Use only your own account for testing purposes. Do not use or attempt to use another user’s account.
- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact; when a duplicate vulnerability report is submitted, we will triage only the first report received.
- Provide a clear, concise description of the steps needed to reproduce any vulnerability you submit.
- Multiple potential security vulnerabilities caused by one underlying issue will be treated as one valid report.
- Social engineering (e.g., spear phishing, phishing, vishing, smishing) is strictly prohibited.
- Denial of service (DoS), distributed denial of service (DDOS), and automated vulnerability scanners that generate significant web traffic are strictly prohibited.
Program scope
The following services are in-scope:
- https://writer.visiblethread.com
- https://docs.visiblethread.com
Ineligible submission type
Although we encourage the security researcher community to submit any vulnerability affecting the security of VisibleThread’s digital products or services that are within the scope of this program, the following submission types are excluded from the scope of this program:
- Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
- Previously known vulnerable libraries without a working proof of concept.
- Comma separated values (CSV) injection without demonstrating a vulnerability .
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service.
- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS.
- Rate limiting or brute force issues on non-authentication endpoints.
- Missing best practices in content security policy.
- Missing HttpOnly or secure flags on cookies .
- Software version disclosure, banner identification issues, descriptive error messages or headers (e.g. stack traces, application or server errors).
- CORS misconfiguration without an exploitation scenario.
- Copy/pasting tool output (ex: WPScan results, SSL Labs links) as a report. A PoC and detailed description on how it can affect a user’s data or Intuit data/infrastructure must be included.
- Open redirect – unless an additional security impact can be demonstrated.
Safe Harbor
Any activities conducted in a manner VisibleThread deems consistent with this policy will be considered authorized conduct and we will not initiate legal action against you for activities directly related to the identification of the reported vulnerability. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take reasonable steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep VisibleThread and its information safe!