Esko Coordinated Vulnerability Disclosure (CVD)

At Esko, keeping information safe and secure is a priority. Esko also values transparency in the industry and sharing information to improve security for every organization. Esko is committed to engaging the security research community in a professional and constructive manner that protects Esko and all its customers. Esko has established a Coordinated Vulnerability Disclosure (CVD) process to continuously improve the security of all its digital products and assets.

If you believe that you have discovered a potential security vulnerability in any of Esko’s digital products or assets, Esko appreciates your help in disclosing it in a responsible manner by submitting a vulnerability report to [email protected].

Please ensure you understand the Esko rules before you report a security vulnerability. By participating in this program, you agree to be bound by the Esko CVD process and by Esko privacy policy. When submitting any information with Esko, you also agree that the information you share will be considered non-proprietary and non-confidential and that Esko is allowed to use such information in any manner, in whole or in part, without any restriction.

Esko reserves the right to modify its coordinated vulnerability disclosure (CVD) process at any time, without notice, and to make exceptions to it on a case-by-case basis.

• Clear description and evidence of the vulnerability (logs, screenshots, responses or other evidence);
• The date of discovery;
• Your assessment of the exploitability or impact of the issue and how you would envision it being used in an attack scenario;
• An explanatory video (by preference in .MP4 format) showing the method and all steps on discovering and exploiting the vulnerability.
  • The tool(s) used in discovering and exploiting the vulnerability;
  • Any user privileges required to exploit vulnerability
    Any platforms, operating systems, versions that are relevant;
  • Any relevant IP addresses or URLs;
• Your contact information so that Esko can communicate with you in a secure manner.

• Esko grants rewards at its discretion only to the first reporter of a relevant vulnerability.
• There are special cases where a vulnerability may be present in multiple places due to Esko products or assets sharing the same code base, framework or a deployment instance. Authorization for multiple methods could be handled at a single place. In such situations, only one reward will be applicable.
• Submissions without an explanatory video or without any clear description and evidence are by default ineligible for any Esko CVD reward.
• Individuals who are on sanctions list and who are in countries on a sanctions list are not eligible for Esko rewards.
• Esko employees and their family members are excluded from the Esko CVD process.

• hoaxes
• anonymous reports
• reports that are generic or lack evidence to be verified
• reports that bear no relevance to Esko as a company, its technologies or its employees or customers
• reports that are non-actionable
• specific windows of time for either fixes or updates to the person who filed the submission.

You can send all your vulnerability information to [email protected].
Esko welcomes your suggestions and feedback for improving the Esko CVD program.

Thank you for helping keep Esko and its customers safe and secure!