To promote responsible and constructive vulnerability disclosure, Esko asks sks all participants to adhere to the following rules:
General Conduct Rules
- Do not violate any international, federal, or local laws or regulations.
- Report vulnerabilities promptly upon discovery or as soon as feasible.
- Do not attempt to access, modify, or interact with data or accounts that do not belong to you.
- If you inadvertently access user data, stop immediately and notify Esko without viewing, storing, altering, or sharing the data.
- Avoid any actions that could be disruptive, damaging, or harmful to Esko, its infrastructure, or its users.
Prohibited Activities
- No social engineering (e.g., phishing, impersonation) targeting Esko employees.
- No physical attacks on Esko’s offices, infrastructure, or hardware.
- Do not install malware (e.g., viruses, worms, ransomware).
- Do not make unauthorized changes to systems or repeatedly access them.
- Do not share access or tools with others.
- Use only your own accounts, email addresses, and devices for testing.
- Do not contact Esko executives or associates directly regarding your vulnerability report status.
Confidentiality and Disclosure Rules
- Treat all vulnerability information as confidential.
- Do not disclose any details to third parties without explicit written consent from Esko.
- Allow Esko reasonable time to investigate and respond before making any information public.
Legal Protection
Esko will not pursue legal action or report to law enforcement for accidental, good-faith violations of these rules. However, failure to comply may result in disqualification from the CVD process and forfeiture of any Reporter Rewards.
Scope
The CVD program applies to all Esko-branded products and applications listed on:
- esko.com
- mediabeacon.com
- enfocus.com
- artworkflowhq.com
CVD Exclusions
- Unvalidated findings from automated tools or scans
- Missing best practices that do not constitute a vulnerability.
- UI/UX issues such as:
- “Back” button working after logout.
- Username/email enumeration.
- Missing cookie flags on non-sensitive cookies.
- Missing non-critical security headers.
- Issues affecting only outdated browsers or platforms.
- Vulnerabilities requiring physical access to a device.
- Hosting or downloading of malware or arbitrary content.
- Social engineering or email bombing.
- Upload/download of executables without exploitation.
- Logout or unauthenticated CSRF.
- Self-XSS or XSS on sandboxed/user-content domains.
- Invalid or missing SPF/DKIM/DMARC records.
- Bypassing pricing or paid feature restrictions.
- Clickjacking on non-sensitive or unauthenticated pages.
- Use of known-vulnerable libraries without proof of exploitability.
- Low-impact error messages or non-sensitive information disclosures.
- Password/account policy issues (e.g., reset link expiration).
- Non-critical issues on blog.esko.com.
- Missing rate limits without security implications.
- Presence of EXIF data in uploads.
- 0-day vulnerabilities in third-party software within 10 days of public disclosure.
- Any other issue deemed low or negligible impact by Esko.
Note: If you believe an excluded issue has significant security implications, you are still encouraged to report it to mailto:[email protected]. Esko may acknowledge your contribution at its discretion.