Coordinated Vulnerability Disclosure

Our application's security and user data are of the utmost importance to us. To ensure the best possible security for our service, we welcome responsible disclosure of any vulnerabilities you find in VobeSoft. We are committed to working with security researchers to verify and address any potential vulnerabilities reported to us.

VoeSoft recommends that security researchers share the details of any suspected vulnerabilities using the form below.

Scope

We are interested in vulnerabilities with the VobeSoft platform and customer data.

Exclusions

• Domains not listed in the target field
• Physical attacks against VobeSoft employees and/or offices
• Phishing or social engineering of VobeSoft employees, customers, contractors, vendors, or service providers
• Knowingly posting, transmitting, uploading, linking to, or sending any malware to or from VobeSoft-owned assets or systems
• Pursuing vulnerabilities discovered on VobeSoft-owned assets or systems
• Any vulnerability obtained through the compromise of a VobeSoft customer, reseller, or employee account
• Security bugs in third-party websites that integrate with VobeSoft
• Network level Denial of Service (DoS/DDoS) vulnerabilities and resource exhaustion bugs
• Clickjacking and issues only exploitable through clickjacking
• Self-XSS or XSS bugs requiring an unlikely amount of user interaction
• Vulnerabilities affecting users of outdated or unsupported browsers or platforms
• Missing HTTP security headers, specifically: Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, XContent-Type-Options, and Content-Security-Policy
• Being an individual on, or residing in any country on, any U.S. sanctions lists
• Disclosure of known public files or directories (e.g. robots.txt)
• Banner disclosure on common/public services
• File upload meta-data not being modified or removed (i.e. EXIF data on uploaded images)
• Presence of application or web browser 'autocomplete' or 'save password' functionality
• Sending malicious links to people you know
• Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves vulnerable
• Vulnerability reports using automated tools without validation

Researchers

Our commitment to researchers

• Safe harbor: Exempt from restrictions in our Terms of Service that would interfere with conducting security research on a limited basis for work done under this policy
• Respect: We treat all researchers with respect and recognize your contribution to keeping our customers safe and secure
• Transparency: We will work with you to validate and remediate reported vulnerabilities in accordance with our commitment to security and privacy
• Common good: We investigate and remediate issues in a manner consistent with protecting the safety and security of those potentially affected by a reported vulnerability

What we ask of researchers

• Trust: We request that you communicate about potential vulnerabilities in a responsible manner, providing sufficient time and information for us to validate and address potential issues
• Respect: We request that researchers make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
• Transparency: We request that researchers provide the technical details and background necessary for us to identify and validate reported issues using the form below
• Common good: We request that researchers act for the common good, protecting user privacy and security by refraining from publicly disclosing vulnerabilities. You are expected, as always, to comply with all applicable laws

If at any time you have concerns or are still determining whether your security research is consistent with this policy, please inquire via support@vobesoft.com before going any further.