Responsible Vulnerability Disclosure Program

Purpose

At Acculizein Tech, one of our founding principles is to “Improve Continuously” which directly translates into our information security program enabling the protection of our guests and customer data as a top priority.
The Acculizein Tech Security Team acknowledges the valuable role that honest, independent security researchers and bug reporters play in the overall security of connected systems. As a result, we encourage the responsible reporting of any vulnerability that may be present in our client properties, mobile application, or company website and services. Acculizein Tech is committed to working with security researchers to verify and address potential vulnerabilities that are reported to us.
Please review these terms before you test and/ or report a vulnerability to Acculizein Tech. We will provide a safe harbor to security researchers as long as they adhere to this policy and are acting in good faith.

Please share details of the suspected vulnerability with our Security Team by sending an email to security@acculizeintech.com

Sharing of vulnerability details outside of our formal reporting process is not permitted and will not result in acceptance by Acculizein Tech of your vulnerability report.

Policy

We will investigate all legitimate reports and make every effort to quickly correct any vulnerability. We ask in return that you:

  • Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC)
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
  • Give the Acculizein Tech Security Team a reasonable time to correct the issue before making any information public
In Scope & Out of Scope Targets

All parts of our applications and services available to customers are in scope and are our primary interest. Please have a look below for in scope targets.

Acculizein Tech uses a number of third-party providers and services. Our disclosure program does not give you permission to perform security testing on their systems. Vulnerabilities in third-party systems will be assessed on a case-by-case basis, and most likely will not be eligible for a reward. The following third-party systems are excluded:

  • Direct attacks against any part of cloud infrastructure
  • Cloudflare
  • WordPress
Qualifying Vulnerabilities

Web application vulnerabilities such as XSS, XXE, CSRF, SQLi, Local or Remote File Inclusion, authentication issues, remote code execution, and authorization issues, privilege escalation and clickjacking. The vulnerability must be in one of the services named in the “In Scope” section above You must be the first researcher to responsibly disclose the vulnerability and you must follow the responsible disclosure guidelines set out in this Policy, which include giving us a reasonable amount of time to address the vulnerability. We will confirm the reasonable amount of time with you following the disclosure of the vulnerability.

Non-Qualifying Vulnerabilities

Low severity, purely theoretical and best-practice issues do not qualify for submission. Here are some examples:

  • Descriptive error messages (e.g., Stack Traces, application or server errors)
  • Theoretical sub-domain takeovers with no supporting evidence
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages
  • Information leakage, fingerprinting/banner disclosure on common/public services
  • Disclosure of known public files or directories, (e.g., robots.txt)
  • Clickjacking on a public page and issues only exploitable through clickjacking
  • CSRF on forms that are available to anonymous users (e.g., the contact form)
  • Logout Cross-Site Request Forgery (logout CSRF)
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies
  • Weak Captcha/Captcha Bypass
  • Forgot Password page brute force and account lockout not enforced
  • OPTIONS HTTP method enabled
  • Reflected file downloads
  • Missing Cache-control
  • Host Header Attack
  • Directory Listing
  • Missing HTTP security headers, (specifically OWASP list of useful HTTP headers)
  • SSL Issues (BEAST, BREACH, Renegotiation attack, Forward secrecy not enabled, weak ciphers)
  • Not performing rate limiting on non-login endpoints
  • Content spoofing
  • HPKP/HSTS preloading
  • Generic examples of Host header attacks without evidence of the ability to target a remote victim
  • Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
  • SPF, DIM, or DMARC settings & Email Spoofing
  • Mixed Content Scripting & Self XSS
  • EXIF Geolocation data
  • Open WordPress JSON API without an exploit
  • Password Reset token leakage (This is known and we will implement a fix)
  • Password policy
Hall of Fame

Ready to Take Your Business to the next Level?

We create wonders with our impenetrable process and proven formula which delivers more than clients expectations.

The belief of our Happy clients inspire us to become a market leader

Let’s talk