Esko CVD Rules

• Treat all vulnerability information as confidential.
• Do not disclose any details to third parties without explicit written consent from Esko.

• Notify us as soon as possible after you discover a real or potential security issue.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence.
• Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
• Do not submit a high volume of low-quality reports or any report without all 5 mandatory information.
• Do not violate any international, federal, or local laws or regulations.
• Do not attempt to access, modify, or interact with data or accounts that do not belong to you.
• Avoid any actions that could be disruptive, damaging, or harmful to Esko, its infrastructure, or its users.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Once you have established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

• Do not contact Esko executives or associates directly regarding your vulnerability report status.
• No social engineering (e.g., phishing, vishing, impersonation) targeting Esko employees.
• No physical testing (e.g. office access, open doors, tailgating) or any other non-technical vulnerability testing.
• No network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
• Do not install malware (e.g., viruses, worms, ransomware).
• Do not make unauthorized changes to systems or repeatedly access them.
• Do not share access or tools with others.
• Use only your own accounts, email addresses, and devices for testing.

The following types of reports are not eligible for a “Reporter token of appreciation” and may not receive a response:

• Unverified results from automated tools or scans.
• Missing best practices that do not constitute a vulnerability.
• UI/UX issues such as:
• “Back” button working after logout.
• Username/email enumeration.
• Missing cookie flags on non-sensitive cookies.
• Missing non-critical security headers.
• Issues affecting only outdated browsers or platforms.
• Vulnerabilities requiring physical access to a device.
• Hosting or downloading of malware or arbitrary content.
• Social engineering or email bombing.
• Upload/download of executables without exploitation.
• HTML or CSV injection without impact.
• Logout or unauthenticated CSRF.
• Self-XSS or XSS on sandboxed/user-content domains.
• Invalid or missing SPF/DKIM/DMARC records.
• Bypassing pricing or paid feature restrictions.
• Clickjacking on non-sensitive or unauthenticated pages.
• Use of known-vulnerable libraries without proof of exploitability.
• Low-impact error messages or non-sensitive information disclosures.
• Password/account policy issues (e.g., reset link expiration).
• Non-critical issues on relevant websites.
• Missing rate limits without security implications.
• Presence of EXIF data in uploads.
• 0-day vulnerabilities in third-party software within 14 days of public disclosure.
• Any other issue deemed low or negligible impact by Esko.

Remark: If you believe an excluded issue has significant security implications, you are still encouraged to report it to csir@esko.com. Esko may acknowledge your contribution at its discretion.

• Hoaxes or fraudulent reports.
• Anonymous or unverifiable submissions.
• Generic reports lacking actionable evidence.
• Reports unrelated to Esko’s products, services, employees, or customers.
• Non-actionable or speculative issues.
• Requests for specific timelines for fixes or updates.
• Communications containing abusive language.

Esko will not pursue legal action or report to law enforcement for accidental, good-faith violations of the Esko CVD process. However, failure to comply may result in disqualification from the Esko CVD process and forfeiture of any “Reporter token of appreciation”.