Vulnerability Disclosure
Policy ExitoWeb Inc

This Vulnerability disclosure policy applies to all Exitoweb’s products. If you have any questions, please contact us via security@escala.com

Our vulnerability disclosure policy

Escala is an all-in-one platform to optimize your marketing and sales where you can build powerful sales funnels that generate quality leads and convert them into loyal clients with all the tools you need integrated in one place. As we process personal and sensitive data, security and trust is always at the top of our priorities so we are always working to improve our product in a way that is as secure as possible. But even with everything that Escala is doing, we remain down-to-earth and acknowledge that a vulnerability can always slip through the cracks. Our Vulnerability Disclosure Policy is one of the ways we uncover potential vulnerabilities. We do this by inviting ethical hackers and security researchers to disclose them. If you find a vulnerability, please let us know so that we can take measures as quickly as possible.

Our promise to you

• We are happy to respond to any questions via security@escala.com
• We aim to process your submissions within 2-3 working days
• We respect the safe harbour clause that you can find below

Your promise to us

• Use of trial accounts to perform vulnerability research. No real data should be used or affected.
• Provide detailed and to-the-point reproduction steps.
• Include a clear scenario. How could this vulnerability impact the solution?
• Please do not discuss or post vulnerabilities without our consent.

Scope

Applications & endpoints

• app.escala.com/login: Escala’s front-end SPA which our customers interact with.
• api.escala.com: Escala’s back-end API.
• escala.com: Our corporate website.
• escalapages.com: Landing pages of customers that do not have a custom domain are published here.

What we’re looking for

• Leaking of personal and confidential information
• Ability to manipulate customer data
• Ability to manipulate the flow of data between the front-end and back-end
• Horizontal/vertical privilege escalation
• Bypassing authentication
• Bypassing the free trial period
• Bypassing the restrictions to obtain additional feature packages
• Bypassing the WAF
• Bypassing role-based user privileges on a tenant
• Access to sensitive logging data that could result in sensitive information breach
• SQLi
• XSS

What is not allowed

• Placing malware (virus, worm, Trojan horse, etc.).
• Copying, modifying or deleting non-trial data in the system.
• Repeatedly accessing the system or sharing access with others.
• Using automated scanning tools.
• Using brute-forcing.
• Using denial-of-service attacks.

Reporting a vulnerability

Submissions must be forwarded to security@escala.com in English.
They should include (at the very least):
Estimated severity
Targeted domain
Endpoint / vulnerable component
Type of vulnerability
Proof of concept & description
Estimated impact

What to expect after submitting a vulnerability

• We will typically process your submission within 2-3 working days.
• You may be contacted for more information.
• Your findings will be treated as responsible disclosures by default.
• Submissions may be rejected based on Escala’s perceived business impact.
• Low-quality reports may not be pursued.
• If you would like to be recognized for your accurate reporting, we would be happy to do so.

Safe harbor for researchers

ExitoWeb considers ethical hacking research conducted consistently with this policy to constitute ” as authorized” under criminal and civil law. ExitoWeb will not pursue civil action or initiate a complaint about accidental, good faith violations.

If legal action is initiated by a third party against you and you have complied with the policy, ExitoWeb will take steps to make it known that your actions were conducted in compliance and with our approval.

Any questions?

Contact us via security@escala.com