We appreciate your interest in helping us secure our systems and applications. 2C2P's Vulnerability Disclosure Policy (VDP) outlines the guidelines for reporting potential vulnerabilities, as well as our approach for communicating with ethical security researchers and addressing such reports.
This policy describes what 2C2P considers a vulnerability that is covered under this policy; how to send vulnerability reports; and what security researchers can expect upon submission of a vulnerability report.
Scope
2C2P defines a vulnerability as an unintended weakness in our application's security that could be exploited by a malicious attacker. This could include things like:
- Cross-site scripting (XSS)
- SQL injection
- Insecure direct object references (IDOR)
- Broken authentication
- Directory traversal
- Remote code execution
- Business logic flaw
What is not included in the scope of this policy:
We kindly ask you to refrain from submitting reports about the following:
- Vulnerabilities related to denial-of-service (DoS) attacks
- Vulnerabilities related to resource exhaustion attacks
- Missing best practices in SSL/TLS configuration
- Social engineering or Phishing
- Physical security vulnerabilities
- Previously known vulnerable libraries without a working Proof-of-Concept
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on Login, Logout pages or pages with no sensitive actions
- Missing best practices in Content Security Policy
- Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Software version disclosure / Banner identification issues / Descriptive error messages or headers
How to Report a Vulnerability
Responsible Disclosure
We request that you do not exploit or publicly disclose any vulnerabilities that you discover, and that you report these vulnerabilities in a responsible manner. This includes compliance with any applicable laws, respect for the privacy of users and organisations, and avoidance of disruption or harm to systems, applications, and user experience.
Please submit vulnerability reports to bugreport@2c2p.com
What to include in vulnerability reports:
When submitting a vulnerability report, please include the following information (if applicable):
- Description of the vulnerability that you discovered
- Steps to reproduce the vulnerability (without harming systems, applications and user experience)
- Proof-of-concept (mandatory)
- Impact of the vulnerability
- Risk Score (Please use OWASP risk rating calculator)
- Contact information
By participating in our vulnerability disclosure program, you agree to the following terms:
- You will not exploit any vulnerabilities you discover beyond what is necessary to demonstrate a proof of concept.
- You will ensure that your testing does not cause any business disruption or impact to users.
- You will keep all communication regarding the vulnerability confidential.
- You will not launch any denial-of-service attacks against our applications.
What you can expect from us:
- We will maintain confidentiality when addressing vulnerability reports.
- We will acknowledge receipt of your report within 14 business days and verify all submitted reports promptly.
- We will work diligently to fix any identified vulnerabilities.
- To the best of our ability, we will keep you informed of the progress and resolution of our investigation.
Rewards and Recognition
While we do not offer guaranteed financial rewards for vulnerabilities, we value your contribution to our security posture. Security researchers will receive a certificate of appreciation in acknowledgement of your report.