At Huntress, we are deeply committed to upholding the highest security standards. We recognize that safeguarding our systems and services is a collective effort, and we embrace collaboration with the security research community. As part of this commitment, we are pleased to introduce the Huntress Vulnerability Disclosure Program (VDP).
Our Commitment to You*
When you engage with the Huntress VDP, you can expect the following from us:
- Collaborative Engagement: We will work closely with you to comprehensively understand and validate your security report.
- Timely Response: Our goal is to triage reports within thirty business days.
- Efficient Remediation: We aim to address valid findings within 90 days.
- Recognition: If you are the first to report a unique and significant vulnerability through the Huntress VDP, you may be eligible for a monetary or other reward.
- Severity Assessment: After the initial triage, we will categorize the severity of your findings based on CVSS 3.0, business impact, and the specific environment.
- Regular Updates: We will provide you with status updates regarding your report according to the severity level:
- Critical: Within 7 days
- High: Within 7 days
- Medium: Within 30 days
- Low: Within 90 days
* May not apply to products or services acquired by Huntress within the last six (6) months.
Rules
As part of your participation in our program, you are expected to adhere to the following rules:
- Good Faith: Operate in good faith throughout the disclosure process.
- Prompt Reporting: Notify us as soon as you identify a potential security issue.
- Report Details: Provide comprehensive information about the vulnerability, including details necessary to reproduce and validate the issue, along with a Proof of Concept (POC). Please see Report Requirements below for further details. If you discover the same issue across multiple applications, please consolidate them into a single report instead of submitting multiple reports.
- Non-disclosure: All information pertaining to vulnerabilities you become aware of through Huntress's VDP is considered confidential. To allow Huntress time to address a vulnerability, you agree not to publicly disclose confidential information or share it with any third party (outside of Huntress) without prior written approval from the Information Security team at Huntress (security-disclosures[@]huntresslabs[.]com). You commit to promptly returning or destroying all copies of confidential information and related notes upon the Information Security team's request. In the spirit of collaboration and transparency, Huntress will only withhold approval of disclosure if confidentiality is required to prevent material harm.
- Avoid Attacks: Do not engage in denial of service attacks or actions that might disrupt Huntress's services or negatively impact the customer experience.
- Data Handling: Do not intentionally view, store, modify, or destroy data that does not belong to you.
- Tool Usage: We value the use of automated tools that aid in security research and do not restrict their usage. However, if these tools cause availability issues, Huntress will block them to ensure regular operation. Reports generated solely through the use of automated tools will be ineligible for reward.
- Scope Adherence: Comply with the in-scope and out-of-scope systems and services (see below).
We understand that identifying a vulnerability may sometimes necessitate a temporary breach of these rules. Still, we trust that you will act in good faith and limit such contraventions to the minimum necessary extent.
Report Requirements
Please send your report to security-disclosures[@]huntresslabs[.]com. Please include the following information in your report:
- A concise description of the issue and the specific instances or endpoints where it is located.
- An analysis of the attack scenario and exploitability, along with an assessment of the security impact of the bug.
- Screenshots or videos that demonstrate the issue.
- Step-by-step instructions for reproducing the issue, including any exploit code.
- Operating system and version details, if applicable.
- If relevant, provide a log detailing all activity related to your discovery, including your IP address(es) and timestamped requests, to assist us in validation and investigation.
Please be aware that, in preparation for your email, you should not upload screenshots, videos, or exploit code to publicly accessible servers or repositories. Attach these files directly to the email.
Please note that reports of very low quality, such as those consisting solely of automated output, may be rejected without a response from Huntress.
Scope
In Scope Systems and Services |
Out of Scope Systems and Services |
Any Huntress-owned web service that handles sensitive user data is within scope. This includes:
|
|
Exclusions
Huntress values reports of vulnerabilities that significantly impact the confidentiality, integrity, and availability of our systems and services. However, some findings may have limited value or no practical significance to our product security. Huntress reserves the right to make this determination in good faith. Low-value findings that do not qualify for a reward may include, but are not limited to:
- Content spoofing or text injection issues without demonstrating an attack vector.
- Clickjacking on pages without sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms without sensitive actions.
- Denial of Service (DoS)
- Lack of rate-limiting on forms that do not perform sensitive actions.
- Issues requiring unlikely user interaction.
- Missing best practices in Content Security Policy.
- Missing best practices in SSL/TLS configuration.
- Missing email best practices (e.g., invalid, incomplete, or missing SPF/DKIM/DMARC records).
- Software version disclosure or banner identification issues.
- Output from automated scanners without a POC.
- Previously known vulnerable libraries without a working POC.
- Vulnerabilities solely affecting users of outdated or unpatched browsers.
Reward Terms
Huntress may offer monetary or other forms of recognition for vulnerability reports that have a significant impact on our customers, products, or services.
Eligibility for monetary recognition is determined by evaluating the internal severity of a finding against its potential impact on Huntress and its customers. We reserve the right, at our sole discretion, to determine whether a vulnerability qualifies for a monetary reward. If we determine a vulnerability does not qualify for a monetary reward, we may, in our sole discretion, acknowledge your contribution in other ways, such as sending you Huntress swag. Assuming the reported issue is validated and deemed significant, the following rules apply:
- Agreement and Adherence: You must agree to and comply with these VDP terms and conditions.
- Individual Reporting: You must report in your individual capacity and not on behalf of a company or entity.
- First Reporter: You must be the first person to report the issue to us. Duplicate reports will be reviewed for additional information, but typically, only the first reporter will be recognized.
- Cooperation: You must be available to provide additional information as requested by our team to reproduce and triage the issue.
- Recognition: A vulnerability in multiple applications will be considered in the recognition decision. Duplicate reports may be closed without recognition.
- Reward Timing: A reward is provided after issue resolution.
- Ineligibility: Current and former Huntress employees, their family members, and their household members are not eligible for program participation.
- Age Requirement: You must be 18 years or older and capable of receiving electronic payments to be eligible for a monetary reward.
- Tax Responsibility: You are responsible for paying applicable taxes on any reward received, including withholdings. Huntress provides no tax advice, and you may be issued tax forms for the reward value at Huntress's discretion.
General Terms
Compliance with Laws: You must adhere to all applicable laws, rules, and regulations, including those specific to your location, regarding your activities related to Huntress's VDP. Rewards will not be issued to individuals in US embargoed countries or individuals on US Government lists of sanctioned or restricted individuals or entities.
Modification: Huntress reserves the right to modify these terms and conditions of the VDP and your participation in the VDP constitutes acceptance of all terms. Please regularly review this site as we routinely update our VDP terms and eligibility, which take effect upon posting. We also reserve the right to cancel the VDP at any time.
Safe Harbor
Conduct aligned with the VDP will be considered authorized, and Huntress will not initiate legal action against you.
Comments
0 comments
Article is closed for comments.