Esko Coordinated Vulnerability Disclosure (CVD)

At Esko, safeguarding the security and integrity of our digital products and assets is a top priority. We are equally committed to transparency and collaboration within the cybersecurity community to help strengthen security across the industry.

To support this mission, Esko has established a Coordinated Vulnerability Disclosure (CVD) process. This initiative encourages responsible reporting of potential security vulnerabilities and fosters constructive engagement with security researchers.

By participating in this program, you agree to be bound by the Esko CVD rules and by the Esko Privacy Policy, available on the Esko website. Please ensure you understand these Esko rules before you report a security vulnerability.

When submitting any CVD related information to Esko, you agree that all information you share will be considered non-proprietary and non-confidential, and that Esko will be entitled to use such information in its sole discretion without any restriction.

The CVD program applies to all Esko-branded products and applications listed on:

• esko.com
• enfocus.com
• artworkflowhq.com

If you believe you have discovered a potential security vulnerability in any of Esko’s digital products or services, we appreciate your responsible disclosure.

Please report your information to csir@esko.com.

In order to help us triage and prioritize submissions, we require that your report contain at least the following 5 mandatory information elements:

1. Describe the location the vulnerability was discovered.
2. A clear and detailed description of the steps needed to reproduce the vulnerability, including supporting evidence (logs, screenshots, HTTP responses are helpful)
3. Your assessment of the potential impact and actual exploitability, including a potential attack scenario.
4. An explanatory video (preferably in .MP4 format) demonstrating:
   • a. The tools used in discovery and exploitation.
   • b. Required user privileges.
   • c. Relevant platforms, operating systems, and versions.
   • d. Any associated IP addresses or URLs.
5. Your contact information.

If you make a good faith effort to comply with our CVD process during your security research and you share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

Within 5 business days, we will acknowledge that your report has been received.

To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution. We will maintain an open dialogue to discuss issues.

• By reporting a vulnerability, you acknowledge that you have no expectation of payment and that you expressly waive any future payment claims against Esko.
• A “Reporter token of appreciation” is granted at Esko’s discretion and only to the first reporter of a verified vulnerability. In cases where the same vulnerability affects multiple instances due to shared codebases or frameworks, only one “Reporter token of appreciation” will be issued. Incomplete submissions are not eligible for a “Reporter token of appreciation”.
• Esko employees and their family members are excluded from participating.
• Esko reserves the right to modify its CVD process at any time, without notice, and to make exceptions the process on a case-by-case basis.

Please send complete vulnerability reports and related inquiries to csir@esko.com.

We also invite you to contact us with feedback and suggestions for improving this Esko CVD program.

Thank you for helping us keep Esko and our customers secure!