Vulnerability Disclosure Policy

Guidelines for reporting security vulnerabilities

At Ecrio, we are committed to keeping our systems, network and product(s) secure. Despite the measures we take, the presence of vulnerabilities will always be possible. When such vulnerabilities are found, we’d like to learn of them as soon as possible, allowing us to take swift action to shore up our security.

Ecrio’s Responsible Disclosure Policy allows for researchers / hackers to search for vulnerabilities, as long as you don’t:

  • make changes to a system
  • install malware of any kind
  • social engineer our personnel or customers (including phishing)
  • execute or attempt to execute a Denial of Service
  • scan or run tests in a manner that would degrade the operation of the service or negatively affect our customers in any way
  • run tests on third party applications, websites or services that integrate with Ecrio

Breaching the above restrictions may result in Ecrio launching an investigation and/or taking legal action to the rights of Ecrio or that of our partners and customers.

Please read the guidelines carefully before attempting discovery and submitting any reports. We reserve the right to not respond to bug reports that clearly are defined as out of scope.

Report

If you do discover a vulnerability, please contact us as soon as possible by sending an email to info@ecrio.com with the subject line “Vulnerability Disclosure”

What we ask of you:

  • Submit your vulnerability report as soon as possible after discovery
  • Do not abuse or exploit discovered vulnerabilities in any way for any purpose
  • Do not share discovered vulnerabilities with any entities or persons other than Ecrio and its employees until after Ecrio has confirmed the vulnerability has been resolved
  • Provide us with adequate information to enable us to investigate the vulnerability properly (to be able to investigate properly, we will need to be able to efficiently reproduce your steps)
  • Provide us with information required to contact you (at least telephone number or email address)

What we promise:

  • We will respond to your report within 5 business days of receipt, with our evaluation of the report and an expected resolution date.
  • We will keep you regularly informed of our progress toward resolving the vulnerability.
  • If you have followed the above instructions, we will not take any legal action against you regarding the report.

The following template can be used when submitting a vulnerability:

# Description

[Description of the identified vulnerability]

# Steps to reproduce

  1. Step 1
  2. Step 2

# Impact

[What could an attacker achieve by exploiting the vulnerability]

Any report submitted in relation to this Responsible Disclosure Policy will be handled with great care with regards to the privacy of the reporter. We will not share your personal information with third parties without your permission, unless we are legally required to do so.