Diligent Vulnerability Disclosure Policy
Software security researchers are increasingly engaging with Internet companies to hunt down vulnerabilities. Diligent works with security experts across the globe to stay up to date with the latest security techniques. If you’ve discovered a security issue that you believe we should know about, we’d love to work with you.
This Diligent Vulnerability Disclosure Policy (the “Policy”) sets out the terms of Diligent Corporation’s Vulnerability Disclosure Program (the “Program”). Diligent’s Vulnerability Disclosure Program applies to security vulnerabilities found within Diligent’s public-facing online environment, as identified in the Eligible Targets below. For the protection of our customers, we do not disclose, discuss or confirm security matters until comprehensively investigating, diagnosing and fixing any known issues.
How to Participate
Highly skilled security researchers can participate in Diligent’s Private Vulnerability Disclosure Program. Send us information about yourself to email@example.com and we will answer you with an authorization ID. Include the authorization ID when communication with our team. Diligent reserves the right to refuse participants’ requests without additional information.
Submit Your Report
Vulnerability information is extremely sensitive. When using email to report a potential security issue to Diligent IT-Security Department, use firstname.lastname@example.org.
It’s important to include at least the following information in the email:
- Your organization (if any) and contact name;
- Your Reference / Advisory Number.
- Products or solutions and versions affected.
- Description of the potential vulnerability.
- Supporting technical details (such as system configuration, traces, description of exploit/attack code, sample packet capture, proof of concept, steps to reproduce the issue);
- Information about known exploits.
- Disclosure plans, if any.
- If you want public recognition.
We will investigate legitimate reports and make every effort to quickly correct any vulnerability. A well written report will allow us to more quickly and accurately triage your submission.
- Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).
- A clear description of the issue, including the impact you believe it has to the user, Diligent or others.
- Specific reproduction steps including the environment used for testing (browsers, devices, tools, configuration) and any accounts used during testing.
- Your recommendations to resolve the issue.
- Provide us with a reasonable time to correct the issue before making any information public.
What you can expect from us
When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
- Within 3 business days, we will acknowledge that your report has been received.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
- We will maintain an open dialogue to discuss issues.
You may receive public recognition for your find if 1) you are the first person to file a Report for a particular vulnerability, 2) the vulnerability is confirmed to be a valid security issue, and 3) you have complied with these guidelines. If a researcher prefers to remain anonymous, we encourage them to submit under a pseudonym. At this time Diligent does not offer a monetary reward for disclosure of vulnerabilities.
Thank you for helping keep Diligent and our users safe!
- You must agree and adhere to all terms as stated in this Policy.
- You must be available to supply additional information, as needed by our team, to reproduce and triage the issue.
- Diligent’s partners are not eligible for participation in the Program.
- You must not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.
- You must not attempt to view, modify, or damage data belonging to others.
- You must not disclose the reported vulnerability to others until we’ve had 60 days to respond and triage the vulnerability. Additional days may be needed for complete remediation.
- You must not attempt to gain access to another user’s account or data.
- You must not use scanners or automated tools to find vulnerabilities. They’re noisy and we may ban your IP address.
- You must not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
At this time, the scope of this Program is limited to security vulnerabilities found in following targets:
The following vulnerabilities are not eligible for reporting.
- Network level Denial of Service attacks
- Application Denial of Service by locking user accounts
- Descriptive error messages or headers (e.g. Stack Traces, banner grabbing)
- Disclosure of known public files or directories, (e.g. robots.txt)
- Outdated software / library versions
- OPTIONS / TRACE HTTP method enabled
- CSRF on logout
- CSRF on forms that are available to anonymous users
- Cookies that lack HTTP Only or Secure settings for non-sensitive data
- Self-XSS and issues exploitable only through Self-XSS
- Reports resulting from automated scanning utilities without additional details or a POC demonstrating a specific exploit
- Attacks requiring physical access to a user’s device
- Attacks dependent upon social engineering of Diligent employees or vendors.
- Username enumeration based on login or forgot password pages.
- Enforcement policies for brute force, rate limiting, or account lockout.
- SSL/TLS best practices.
- SSL attacks such as BEAST, BREACH, Renegotiation attack.
- Clickjacking, without additional details demonstrating a specific exploit.
- Mail configuration issues including SPF, DKIM, DMARC settings.
- Use of a known-vulnerable library without a description of an exploit specific to our implementation.
- Password and account recovery policies.
- Presence of autocomplete functionality in form fields.
- Publicly accessible login panels.
- Lack of email address verification during account registration or account invitation.
- Lack of email address verification password restore.
- Session control during email/password changes.
Any information you receive or collect about Diligent through the Program (such information being Diligent’s “Confidential Information”) must be kept confidential and only used in connection with the Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Diligent sites, without Diligent’s prior written consent.
Terms and Conditions
There are constraints on who may participate in the Program. In addition, there may be additional restrictions depending upon applicable local laws.
- The parties to this agreement are you and “Diligent Corporation.” Any references to “Diligent” or “we”/“our”/“us” shall be understood to refer to Diligent Corporation.
- You must abide by the law.
- Diligent employees, contractors, and their families are encouraged to report vulnerabilities but are not eligible for public recognition under the Program.
- By submitting the vulnerability, you affirm that you have not disclosed and agree that you will not disclose the bug or your submission to anyone other than Diligent via our Vulnerability Disclosure Process.
- Submissions selected for rewards, and the individuals who submitted the vulnerabilities will receive appropriate recognition at the discretion of Diligent
- By submitting information about a potential vulnerability, you are agreeing to the terms and conditions of this Policy and granting Diligent and its group companies a worldwide, royalty-free, perpetual, non-exclusive, sublicensable, and assignable license to use your submission. Only the first report of a given issue that Diligent had not yet identified is eligible for public recognition. In the event of a duplicate submission, only the earliest received report is considered for public recognition.
- You are responsible for notifying Diligent of any changes to your contact information, including but not limited to your email address.
- Diligent reserves the right to discontinue the Program at any time with or without notice.
- You may only exploit, investigate, or target vulnerabilities against your own accounts and at all times only in accordance with all terms identified in this Policy. Testing must not violate any law or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is expressly prohibited.
- If you inadvertently access proprietary customer, employee, or business related information during your testing, the information must not be used, disclosed, stored, or recorded in any way.
- Your testing activities must not negatively impact Diligent or Diligent’s online environment availability or performance.