STRONGDM’S

Responsible Disclosure Policy

Responsible Disclosure Policy


Background

Responsible Disclosure Policies and Vulnerability Disclosure Programs encourage security researchers, customers, and other members of the public to safely and securely report potential vulnerabilities to strongDM without fear of prosecution or legal action, and allows strongDM a chance to be informed of potential vulnerabilities prior to them being publicly announced.

These programs also signal to current and potential customers that a company is practicing a mature vulnerability management program, and is interested in advancing the security of their product.

strongDM looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.


Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

As long as you follow the rules defined in this policy, strongDM makes the following commitments:

  1. We will not pursue civil or criminal legal action against a vulnerability reporter in response to vulnerability research and disclosure to us;
  2. We will work with the vulnerability reporter to understand and reproduce the vulnerability that has disclosed to us;
  3. We will keep the vulnerability reporter informed of our timeline for fixing the submitted vulnerability once we have verified it;
  4. We will recognize the vulnerability reporter on our website for their contributions toward making our product more secure;
  5. We may allow the vulnerability reporter to publicly disclose the vulnerability and their research methods after the vulnerability has been fixed, subject to strongDM’s explicit written consent;

Thank you for helping keep strongDM and our customers safe!


Response & Remediation Targets

strongDM will make a best effort to meet the following SLAs for hackers participating in our program:

Once a vulnerability has been verified, we will make a best effort to remediate within the following timelines:

Please note that the severity rating for a reported vulnerability may be adjusted by strongDM in line with our Vulnerability Management Program. We’ll try to keep you informed about our progress throughout the process.


Program Rules

  1. Research only that which is "in-scope" or "allowed", without using any of the listed below
  2. Follow HackerOne's disclosure guidelines
  3. Communicate with us only by the methods provided by HackerOne
  4. Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
    – Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact;
    – Multiple vulnerabilities caused by one underlying issue will be treated as one valid report;
    – When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced);
  5. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
  6. Ensure any data exposed is kept to a minimum, not stored, and treated as confidential at all times;
  7. Do not destroy or alter data discovered during your research;
  8. Do not publicly or privately disclose any vulnerabilities [existing or remediated] discovered during your research to anyone other than strongDM and HackerOne;


VDP Scopes


In-Scope Assets

DOMAINS

Any strongDM-owned domains not listed below are not in scope and not covered by our legal safe harbor

  • app.strongdm.com
  • api.strongdm.com
  • *.strongdm.network

SOFTWARE DEVELOPMENT KITS

strongDM provides software development kits to its customers to speed up integrations. Our four SDKs are available in public GitHub repositories linked below:


INSTALLED APPLICATIONS (EXECUTABLES)

Part of the strongDM Platform includes local client and gateway server applications.


CLIENT APPLICATIONS

GATEWAY APPLICATIONS


Out-of-Scope Assets

DOMAINS

Any domain owned by strongDM not specifically listed above, including:

  • www.strongdm.com
  • discover.strongdm.com
  • learning.strongdm.com

SAAS APPLICATIONS

Any SaaS applications used by strongDM for business operations, such as Slack, Google Workspace, Zoom, etc.


Out-of-Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Tabnabbing
  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Open redirect unless an additional security impact can be demonstrated
  • Issues that require unlikely user interaction
  • Attacks requiring MITM or physical access to a user's device
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
  • Previously known vulnerable libraries without a working Proof of Concept
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability
  • Misconfigurations on third-party applications/widgets on any domain, unless there is immediate and verifiable confidential data disclosure (e.g. you can actually see the confidential information, not just theoretically gain access)


Prohibited Methods

The following methods are prohibited and considered out-of-scope:

  • Posting, uploading, linking to, or storing any malicious software or programs;
  • Physical security testing of office and/or data center access (e.g. open doors, tailgating);
  • Social engineering of our employees or customers (e.g. phishing, vishing, smishing);
  • Knowingly executing or attempting to execute any destructive or Denial of Service attacks;
  • Targeting out of scope applications;
  • Targeting our customers' users, administrators, or infrastructure in any way;


What Should Not Be Submitted

Please do not send any of the following information to us:

  • Personally Identifiable Information for persons other than yourself;
  • Private Health Information;
  • Credit Card Information of any type (PAN, CCV/CVN, etc.);