Our vulnerability disclosure policy
Our promise to you
- We are happy to respond to any questions via email@example.com
- We aim to process your submissions within 2-3 working days
- We respect the safe harbour clause that you can find below
Your promise to us
- Use of trial accounts to perform vulnerability research. No real data should be used or affected.
- Provide detailed and to-the-point reproduction steps.
- Include a clear scenario. How could this vulnerability impact the solution?
- Please do not discuss or post vulnerabilities without our consent.
Applications & endpoints
- app.escala.com: Escala’s front-end SPA which our customers interact with.
- api.escala.com: Escala’s back-end API.
- www.escala.com: Our corporate website.
- .escalapages.com: Landing pages of customers that do not have a custom domain are published here.
What we're looking for
- Leaking of personal and confidential information
- Ability to manipulate customer data
- Ability to manipulate the flow of data between the front-end and back-end
- Horizontal/vertical privilege escalation
- Bypassing authentication
- Bypassing the free trial period
- Bypassing the restrictions to obtain additional feature packages
- Bypassing the WAF
- Bypassing role-based user privileges on a tenant
- Access to sensitive logging data that could result in sensitive information breach
What is not allowed
- Placing malware (virus, worm, Trojan horse, etc.).
- Copying, modifying or deleting non-trial data in the system.
- Repeatedly accessing the system or sharing access with others.
- Using automated scanning tools.
- Using brute-forcing.
- Using denial-of-service attacks.
Reporting a vulnerability
- Submissions must be forwarded to firstname.lastname@example.org in English.
- They should include (at the very least):
- Estimated severity
- Targeted domain
- Endpoint / vulnerable component
- Type of vulnerability
- Proof of concept & description
- Estimated impact
What to expect after submitting a vulnerability
- We will typically process your submission within 2-3 working days.
- You may be contacted for more information.
- Your findings will be treated as responsible disclosures by default.
- Submissions may be rejected based on Escala’s perceived business impact.
- Low-quality reports may not be pursued.
- If you would like to be recognized for your accurate reporting, we would be happy to do so.
Safe harbor for researchers
ExitoWeb considers ethical hacking research conducted consistently with this policy to constitute ” as authorized” under criminal and civil law. ExitoWeb will not pursue civil action or initiate a complaint about accidental, good faith violations.
If legal action is initiated by a third party against you and you have complied with the policy, ExitoWeb will take steps to make it known that your actions were conducted in compliance and with our approval.
Contact us via email@example.com