Esko Coordinated Vulnerability Disclosure (CVD)

At Esko, safeguarding the security and integrity of our digital products and assets is a top priority. We are equally committed to transparency and collaboration within the cybersecurity community to help strengthen security across the industry.

To support this mission, Esko has established a Coordinated Vulnerability Disclosure (CVD) process. This initiative encourages responsible reporting of potential security vulnerabilities and fosters constructive engagement with security researchers.

Please ensure you understand the Esko rules before you report a security vulnerability. By participating in this program, you agree to be bound by the Esko CVD process and by the Esko Privacy Policy, available on the Esko website. When submitting any CVD related information to Esko, you also agree that the information you share will be considered non-proprietary and non-confidential, and that Esko will be entitled to use such information in its sole discretion without any restriction.

Esko reserves the right to modify its CVD process at any time, without notice, and to make exceptions the process on a case-by-case basis.

If you believe you’ve discovered a potential security vulnerability in any of Esko’s digital products or services, we appreciate your responsible disclosure. Please report it by emailing [email protected] with the following information:

• A clear description of the vulnerability, including supporting evidence (e.g., logs, screenshots, HTTP responses).
• The date of discovery.
• Your assessment of the impact and exploitability, including a potential attack scenario.
• An explanatory video (preferably in .MP4 format) demonstrating:
  • The tools used in discovery and exploitation.
  • Required user privileges.
  • Relevant platforms, operating systems, and versions.
  • Any associated IP addresses or URLs.
• Your contact information for secure communication.

• “Reporter Rewards” are granted at Esko’s discretion and only to the first reporter of a verified vulnerability.
• In cases where the same vulnerability affects multiple instances due to shared codebases or frameworks, only one “Reporter reward” will be issued.
• Submissions without a video or lacking clear evidence are not eligible for “Reporter Rewards”.
• Individuals on sanctions lists or residing in sanctioned countries are not eligible for “Reporter Rewards”.
• Esko employees and their family members are excluded from participating.

• Hoaxes or fraudulent reports.
• Anonymous or unverifiable submissions.
• Generic reports lacking actionable evidence.
• Reports unrelated to Esko’s products, services, employees, or customers.
• Non-actionable or speculative issues.
• Requests for specific timelines for fixes or updates.

Please send complete vulnerability reports and related inquiries to [email protected].
We welcome your feedback and suggestions to improve the Esko CVD program. Thank you for helping us keep Esko and our customers secure!