Vulnerability Disclosure Policy
Report any vulnerabilities to MailBluster systems
Introduction
MailBluster cares about information security. We are committed to maintaining the confidentiality, integrity, and availability of MailBluster systems and information to ensure the trust and confidence of our customers. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.
This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
Security researchers should feel comfortable reporting vulnerabilities discovered, as defined in this policy, to allow MailBluster to remediate the findings to ensure confidentiality and keep MailBluster’s information safe.
Authorization
If you make a good-faith effort to comply with this policy during your security research, MailBluster will consider your research to be authorized, work with you to understand and resolve the issue quickly, and will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, MailBluster will make this authorization known.
Guidelines
Under this policy, “research” means activities in which you:
- Notify us as soon as possible after you discover a real or potential security issue.
- Perform analysis only within the scope set out below.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to pivot to other systems.
- Provide us with a reasonable amount of time to resolve the issue before you disclose it publicly.
- Do not submit a high volume of low-quality reports.
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, proprietary information, or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
Scope
This policy applies to the following systems and services:
- *.mailbluster.com
Out-of-scope issues
- Discovering and testing against MailBluster customer assets
- Model hallucinations
- Content moderation issues, solicitation
- Security practices where other mitigating controls exist i.e. missing security headers, etc.
- Social engineering, phishing
- Physical attacks
- Missing cookie flags
- CSRF with minimal impact i.e. Sign in CSRF, Sign out CSRF, etc.
- Content spoofing
- Stack traces, path disclosure, directory listings
- SSL/TLS controls where other mitigating controls exist
- Banner grabbing
- CSV injection
- Reflected file download
- Reports on out of dated browsers
- DOS/DDOS
- Host header injection without a demonstrable impact
- Scanner outputs
- HTTP trace method
- Server error messages (unless critical information is leaked)
- Bugs without security implications
Any service not expressly listed above, such as any connected services, is excluded from the scope and is not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their Disclosure Policy (if any). If you aren’t sure whether a system is in scope or not, contact us at [email protected] before starting your research.
Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.
Recognition
We do not offer financial rewards for submissions, but we strongly believe in public recognition for individuals who assist us in ensuring the security of our systems and data. We value your contribution, and as a token of our appreciation, we will publicly share the name of the report submitter on our Security Disclosure Acknowledgements page, unless you express a preference for anonymity.
While we are actively working towards implementing a bug bounty program that will facilitate and regulate financial rewards for submissions, we regret to inform you that such a program is not available at this time.
Reporting a vulnerability
Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely MailBluster, we may share your report with the Cybersecurity and Infrastructure Security Agency, where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.
What we would like to see from you
In order to help us triage and prioritize submissions, we recommend that your reports:
- Describe the location where the vulnerability was discovered and the potential impact of exploitation.
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
- Be in English.
What you can expect from us
When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
- Within 14 business days, we will acknowledge that your report has been received.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including issues or challenges that may delay resolution.
- MailBluster does not provide payment to reporters for submitting vulnerabilities.
- Reporters submitting vulnerabilities to MailBluster, in so doing, waive any compensation claims.
Questions
Questions regarding this policy may be sent to [email protected]. We also invite you to contact us with suggestions for improving this policy.
Last update: 29 February 2024