Esko Coordinated Vulnerability Disclosure (CVD)
Effective June 2021 - version 1.1
At Esko, keeping information safe and secure is a priority. Esko also values transparency in the industry and sharing information to improve security for every organization. Esko is committed to engaging the security research community in a professional and constructive manner that protects Esko and all its customers.
Esko has established a Coordinated Vulnerability Disclosure (CVD) process to continuously improve the security of all its digital products and assets.
If you believe that you have discovered a potential security vulnerability in any of Esko's digital products or assets, Esko appreciates your help in disclosing it in a responsible manner by submitting a vulnerability report to firstname.lastname@example.org.
Esko reserves the right to modify its coordinated vulnerability disclosure (CVD) process at any time, without notice, and to make exceptions to it on a case-by-case basis.
Reporting a vulnerability
Your submission should be sent to email@example.com and should contain at least:
- Clear description and evidence of the vulnerability (logs, screenshots, responses or other evidence);
- The date of discovery;
- Your assessment of the exploitability or impact of the issue and how you would envision it being used in an attack scenario;
- An explanatory video (by preference in .MP4 format) showing the method and all steps on discovering and exploiting the vulnerability.
- The tool(s) used in discovering and exploiting the vulnerability;
- Any user privileges required to exploit vulnerability
- Any platforms, operating systems, versions that are relevant;
- Any relevant IP addresses or URLs;
- Your contact information so that Esko can communicate with you in a secure manner.
- Esko grants rewards at its discretion only to the first reporter of a relevant vulnerability.
- There are special cases where a vulnerability may be present in multiple places due to Esko products or assets sharing the same code base, framework or a deployment instance. Authorization for multiple methods could be handled at a single place. In such situations, only one reward will be applicable.
- Submissions without an explanatory video or without any clear description and evidence are by default ineligible for any Esko CVD reward.
- Individuals who are on sanctions list and who are in countries on a sanctions list are not eligible for Esko rewards.
- Esko employees and their family members are excluded from the Esko CVD process.
Esko will not respond to:
- anonymous reports
- reports that are generic or lack evidence to be verified
- reports that bear no relevance to Esko as a company, its technologies or its employees or customers
- reports that are non-actionable
- specific windows of time for either fixes or updates to the person who filed the submission.
You can send all your vulnerability information to firstname.lastname@example.org .
Esko welcomes your suggestions and feedback for improving the Esko CVD program.
Thank you for helping keep Esko and its customers safe and secure!