Politica di divulgazione delle vulnerabilità | OneSuite

Report vulnerabilities in OneSuite systems

Introduction

At OneSuite, information security is a top priority, and we are committed to protecting the confidentiality, integrity, and availability of our systems and data. This policy provides security researchers with clear guidelines for conducting vulnerability research and describes how vulnerabilities can be responsibly reported to us.

This document specifies which systems and types of research are covered by this policy, how to submit vulnerability reports, and what timelines we suggest for public disclosure.

We encourage security researchers to report vulnerabilities as described in this policy. Your efforts help us address potential issues and maintain the security of the OneSuite ecosystem.

Authorization

If you make a good faith effort to comply with this policy, OneSuite considers your research to be authorized. We will work with you to understand and resolve the issue quickly and will not recommend or pursue legal action related to your research.

Should a third party initiate legal action against you for activities conducted in accordance with this policy, OneSuite will make this authorization known.

Guidelines

Under this policy, "research" refers to activities in which you:

  • Notify us as soon as possible after you discover a real or potential security issue.
  • Conduct analysis only within the defined scope.
  • Avoid privacy violations, degradation of user experience, disruption of production systems, and destruction or manipulation of data.
  • Use exploits only to the extent necessary to confirm the presence of a vulnerability. Do not use exploits to compromise or exfiltrate data, gain command-line access, or pivot to other systems.
  • Allow us a reasonable timeframe to fix the issue before publicly disclosing it.
  • Avoid submitting a large volume of low-quality reports.

Once you have determined that a vulnerability exists, or encounter sensitive data (including personal data, financial data, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Scope

This policy applies to the following systems and services:

  • *.onesuite.io

Out-of-Scope Issues

The following issues are considered out of scope for this policy:

  • Testing of OneSuite customer assets.
  • Model hallucinations.
  • Content moderation or recruitment issues.
  • Security practices mitigated by other controls (e.g., missing security headers).
  • Social engineering, phishing, and physical attacks.
  • Issues such as missing cookie flags, low-impact CSRF (e.g., login/logout CSRF), content spoofing, or stack traces.
  • Vulnerabilities without demonstrable security impact.
  • DOS/DDOS attacks.
  • Host header injection without impact.
  • Scanner output, server error messages (unless they reveal critical information).
  • Reports about outdated browsers or non-critical bugs.

All services not explicitly listed in the "Scope" section above, such as connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in our vendors' systems fall outside the scope of this policy and should be reported directly to the vendor in accordance with their disclosure policy (if available). If you are unsure whether a system is in scope, contact us at security@onesuite.io before beginning your research.

Acknowledgment

Although OneSuite does not currently offer financial rewards, we value your contributions. As a token of our appreciation, we will acknowledge your help on our Security Disclosure Acknowledgments page unless you prefer to remain anonymous. We are working on implementing a bug bounty program to enable financial rewards in the future.

Reporting a Vulnerability

Information submitted under this policy will be used exclusively for defensive purposes. If your findings reveal vulnerabilities affecting the broader user community, we may share your report with the Cybersecurity and Infrastructure Security Agency (CISA). We will not disclose your name or contact information without your permission.

What We Would Like to See

To help us effectively triage and prioritize submissions, please provide the following:

  • The location and potential impact of the vulnerability.
  • A detailed description of the steps required to reproduce the vulnerability (e.g., proof-of-concept scripts, screenshots).
  • Reports in English.

What You Can Expect from Us

If you share your contact details, we commit to the following:

  • Acknowledgment of receipt of your report within 14 business days.
  • Confirmation of the vulnerability's existence and information about our remediation process, including any possible delays.

Please note that OneSuite does not offer compensation for submitted vulnerabilities. By submitting a report, you waive any claims to compensation.

Questions

For questions or suggestions about this policy, contact us at security@onesuite.io.

Last Updated: November 12, 2024