Responsible Disclosure Policy
Effective Date: July 26, 2024
Enveedo aims to keep its platform safe for everyone, and data security is our priority. If you are a security researcher and have discovered a security vulnerability in our platform, we appreciate your help in disclosing it to us in a secure and responsible manner.
Currently we don’t have a bug bounty program, but in case of any finding or potential finding that would address this “vulnerability disclosure” clause, feel free to contact security@enveedo.com to start the process of secure exchange information. We will acknowledge your email within one week.
Only vulnerabilities submitted via the appropriate channel will be managed. If you’ve previously responsibly disclosed a vulnerability to us, don’t do it again.
When submitting a vulnerability, please adequately describe the attack scenario, the level of exploitability, the impact of the finding on Enveedo and/or Enveedo’s customers and users, and a detailed report with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue would not be manage by our team.
Out of Scope Vulnerabilities and Exclusions
Our program will attend only a selected group of vulnerabilities but the following issues will be considered out of scope:
- Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
- Previously known vulnerable libraries without a working Proof of Concept.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Missing best practices in Content Security Policy.
- Missing email best practices (for example, invalid, incomplete or missing SPF/DKIM/DMARC records).
- Vulnerabilities affecting users of outdated or unpatched browsers.
- Public Zero-day vulnerabilities that have had an official patch available for less than 1 month.
- Open redirect (without additional security impact demonstrated).
Please, don’t report any of the above topics.
Contact
We welcome your feedback, questions, and suggestions. Please don't hesitate to reach out to us at security@enveedo.com.