Responsible Disclosure
Introduction
At Prisidio, our mission is not only to provide a secure platform for managing your documents but also to protect your most important information. We believe that security is the cornerstone of our service, and we are dedicated to maintaining the safety of your data.
Our responsible disclosure policy aims to facilitate open and responsible communication and collaboration between Prisidio and the security research community. This policy outlines the scope of systems and research covered, the process for submitting vulnerability reports, and the expected time frame for security researchers to wait before publicly disclosing any discovered vulnerabilities. By working together, we can continuously improve our security posture, protect our users' data, ensure the trust and confidence of our valued customers, and avoid inadvertently assisting those who would do harm.
We invite security researchers to review this policy thoroughly and to adhere to its guidelines when conducting research on our systems. Your expertise and insights are invaluable in helping us identify potential security issues and enhance the safety and reliability of our services. We look forward to your valuable contributions and thank you for your commitment to responsible disclosure.
Authorization
Prisidio will not recommend or pursue legal action related to your research, as long as it adheres to this policy. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.
Test Methods
In order to maintain the integrity of our systems and ensure the safety of user data, we have established guidelines for acceptable test methods within the scope of our responsible disclosure policy. Testing that is conducted for any reason other than to assist us in enhancing the security of our systems and data will not be considered acceptable. Testing conducted for the private interests of the testing entity or person, including for business or financial gain, likewise will not be considered acceptable. It is essential for security researchers to adhere to these guidelines when conducting vulnerability assessments or penetration testing on our systems.
Unauthorized and Unacceptable Test Methods
The following test methods are NOT authorized or accepted under our responsible disclosure policy:
- Network denial of service (DoS or DDoS) tests, or any other tests that may impair access to, disrupt, or damage a system or data.
- Physical testing, including but not limited to unauthorized office access, open doors, tailgating, dumpster diving, or lock-picking.
- Social engineering, such as phishing, vishing, spam, or pretexting, or any other non-technical vulnerability testing that targets our employees or users.
- Use of automated vulnerability scanners or submission of findings solely derived from automated scan reports, as these often generate inaccurate or incomplete results.
- Uploading, distribution, or execution of malware, ransomware, or any other malicious software on our systems.
- Testing that alters or renders unavailable data residing on or processed by our systems.
- Reporting missing HTTP security headers or cookie flags on non-sensitive cookies, as these issues typically have a low impact on overall security.
We encourage security researchers to focus on high-impact vulnerabilities, such as those related to authentication, authorization, data exposure, or code execution. By concentrating on these areas, we can work together to identify and address critical security issues that pose the most significant risks to our users' data and privacy.
Scope
Our responsible disclosure policy specifically applies to the following systems and services within the Prisidio domain:
- *.app.prisid.io
- www.prisid.io
Any services or systems not explicitly listed above, including connected or third-party services, are considered to be outside the scope of this policy and are not authorized for testing.
Additionally, vulnerabilities discovered in systems belonging to our vendors or partners fall outside the purview of this policy. We kindly request that you report such vulnerabilities directly to the relevant vendor or partner, following their disclosure policy, if available.
If you are uncertain about whether a particular system or service falls within the scope of our responsible disclosure policy, we strongly encourage you to contact us before initiating any security research. To reach out to us for clarification or any other inquiries, please visit our contact page at https://www.prisid.io/contact.
Reporting a vulnerability
If you believe that you have discovered a security vulnerability within the scope of our responsible disclosure policy, we encourage you to report it to us via https://www.prisid.io/contact. You may choose to submit your report anonymously or provide your contact information. If you opt to share your contact details, we will acknowledge receipt of your report within 3 business days.
Recommended Report Content
To help us efficiently triage, prioritize, and address submissions, we kindly ask that your vulnerability reports include the following information:
- A clear description of the location where the vulnerability was discovered and an assessment of the potential impact of its exploitation.
- A detailed explanation of the steps required to reproduce the vulnerability, including proof of concept scripts, screenshots, or any other relevant documentation that could assist us in understanding and resolving the issue.
Our Commitment to You
When you share your contact information with us, we pledge to collaborate with you in a transparent, timely, and open manner. You can expect the following from us:
- An acknowledgment of receipt for your submitted report within 3 business days.
- A confirmation of the vulnerability's existence, if applicable.
- Ongoing dialogue and open channels of communication to discuss any concerns or updates related to the reported vulnerability and remediation process.
By working together, we can address security vulnerabilities efficiently and effectively, ultimately enhancing the safety and reliability of our services for all users.
Rewards
While Prisidio does not currently provide financial rewards or bounties for the disclosure of security vulnerabilities, we deeply value and appreciate the efforts of security researchers who contribute to improving our systems' security. To acknowledge and express our gratitude for your contribution, we have implemented a reward system that offers non-financial incentives.
For researchers who successfully identify and report valid vulnerabilities that are acknowledged and accepted by our security team, we may, in certain cases, offer Prisidio-branded merchandise ("swag") as a token of our appreciation. This swag may include items such as T-shirts, hoodies, stickers, or other promotional materials that showcase your valuable contribution to our security efforts. Our shipping capabilities for promotional merchandise are limited to mailing addresses within the United States.
In addition to Prisidio swag, researchers whose vulnerability disclosures are deemed particularly significant or impactful may be recognized on our website, social media channels, or in other public announcements, subject to the researcher's consent. This public acknowledgement not only showcases your expertise but also highlights your commitment to enhancing cybersecurity and protecting users' data.
Please note that the decision to provide Prisidio swag or public recognition is at the sole discretion of our security team and is based on the severity, impact, and overall importance of the reported vulnerability. We encourage you to continue sharing your discoveries and collaborating with us to ensure the security and privacy of our users.