Vulnerability Disclosure Policy

Policy

Saasu values and appreciates the contributions from the cybersecurity community in improving and maintaining our systems to meet cybersecurity standards.

Scope

Reports submitted to Saasu for https://secure.saasu.com are in scope and will be accepted for evaluation.

Exclusions

Saasu retains the right to determine whether to accept a report submitted as a vulnerability disclosure.

Saasu will reject vulnerabilities with minimal security impact or low exploit-ability, vulnerabilities beyond Saasu’s control, vulnerabilities discoverable through automated scans which have not been verified manually, or vulnerabilities related to a violation of the program requirements.

Out of scope vulnerabilities include:

  1. Vulnerabilities demonstrated where the attacker has direct access to the victim’s device for demonstration purposes eg: direct access to cookies
  2. Click-jacking on pages with no sensitive actions;
  3. CSRF without a demonstrated vulnerability;
  4. Password and account recovery policies, such as reset link expiration or password complexity;
  5. Presence of autocomplete attribute on web forms;
  6. Username/user id enumeration;
  7. Vulnerabilities only affecting outdated or unpatched browsers;
  8. SSL/TLS configurations without a demonstrated vulnerability;
  9. Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure;
  10. Missing HTTP-only or secure cookie flags unrelated to a vulnerability;
  11. Missing security headers unrelated to a vulnerability;
  12. Attacks against network and security infrastructure; and
  13. Email spoofing issues (e.g., absence or misconfiguration of SPF, DKIM, DMARC).

Program Requirements

Saasu would not pursue legal action against participants who:

  1. Submit in-scope reports and engage in testing/research of systems without harming Saasu, its customers, employees, or third parties;
  2. Do not compromise the privacy of Saasu’s customers, employees, or other individuals (e.g. by accessing personal information);
  3. Do not conduct social engineering, spam, or phishing attacks;
  4. Do not test the physical security of any property of Saasu or third parties;
  5. Do not conduct denial-of-service or resource-exhaustion attacks;
  6. Comply with applicable criminal laws;
  7. Adhere to other applicable laws;

You agree that Saasu may disclose the information in a report you submit through this website. Saasu will consider any request from a researcher to make a disclosure but reserves the right to deny such requests.

How to Submit a Report

To submit a report to Saasu, please email the report to service@saasu.com

Expectations for Researchers:

  1. Well-written reports in English will have a higher chance of faster response and resolution;
  2. Reports that include proof-of-concept code enable Saasu to better understand and triage the submitted information;
  3. Reports that include only output from programs may receive lower priority;
  4. Participating in this program does not give you any right to intellectual property owned by Saasu or a third party;
  5. Please include how you found the vulnerability; if possible include any potential remediation(s); and
  6. Please do not include any personal information.