Vulnerability Disclosure Policy

Guidelines on conducting security assessment over Quantive Results systems and communication with our Security team.

Neli Ivanova avatar
Written by Neli Ivanova
Updated over a week ago

Introduction

Quantive Results is committed to ensuring the security of our customers by protecting their information. As such, we encourage responsible reporting of vulnerabilities that might be identified in our products. This policy is intended to give clear guidelines for conducting security assessment activities, information on systems in scope, and conveys our preferences in how to submit discovered vulnerabilities.

Terms and Conditions

Before you can commence any testing activities you must read and abide to the following rules:

  • Use your own account for testing, do not attempt to gain access to another user’s account or confidential information.

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.

  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.

  • Notify us as soon as possible after you discover a real or a potential security issue.

  • Do not perform social engineering activities, such as phishing, vishing, smishing, etc.

  • Do not conduct network denial of service (DoS/DDoS) tests.

  • If sensitive data is encountered, including Personally Identifiable Information (PII), Quantive Results proprietary or another customer data, you must stop your test, purge related data from your system, and notify us immediately.

Scope

This policy applies only to:

Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy.

Although we develop and maintain other internet-accessible systems or services, active research and testing should only be conducted on the systems and services covered by the scope of this policy. If there is a particular system not in scope that you think merits testing, please contact us.

Items out of scope of this policy include:

  • Missing best practices in Content Security Policy (CSP) headers.

  • Missing HttpOnly or Secure flags on cookies.

  • Reports related to e-mail services (invalid, missing or incomplete SPF/DKIM/DMARC records).

  • SQL injections in the Insight module that are functionality of the application.

  • XSS in the Insight module representing application feature.

  • Clickjacking vulnerabilities.

  • Low severity issues related to session management.

  • Issues related to email enumeration or verification of users accounts.

Reporting a vulnerability

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

  • If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report.

  • Please submit vulnerability reports with concise steps to reproduce.

  • For additional security you can encrypt the report with the PGP key found here.

  • Be in English, if possible.

  • We will acknowledge receipt of your report within 3 business days.

  • Reports should be submitted to [email protected].

Disclosure

Please report vulnerabilities only to the security team at Quantive Results, and not publicly. Quantive Results follows the private disclosure method in order to minimize attacks against current users of Quantive Results before they are fixed. We will collaborate with everyone who wishes to disclose a vulnerability.

Quantive Results will perform internal investigation in case of a serious issue (defined as high or critical severity). It is at our discretion to inform customers if none of their data had been affected.

Rewards

Unfortunately, due to our current funding structure we do not offer a paid bug bounty program and cannot provide monetary rewards for vulnerability submissions. What we could do for you is to issue a personal reference or a letter as a token of appreciation that attests to your merits, contribution, and professionalism.

Authorization

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

What you can expect from us

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

  • Within 3 business days, we will acknowledge that your report has been received.

  • To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.

  • We will maintain an open dialogue to discuss issues.

Did this answer your question?