Vulnerability Disclosure Policy

Report any vulnerabilities to OneSuite systems

Introduction

At OneSuite, we prioritize information security and are committed to safeguarding the confidentiality, integrity, and availability of our systems and data. This policy provides security researchers with clear guidelines for conducting vulnerability discovery and outlines how to responsibly disclose vulnerabilities to us.

This document specifies the systems and types of research covered under this policy, how to submit vulnerability reports, and the timeframes we request for public disclosure.

We encourage security researchers to report vulnerabilities as described in this policy. Your efforts will help us address potential issues and maintain the security of OneSuite’s ecosystem.

Authorization

If you make a good-faith effort to comply with this policy, OneSuite will consider your research to be authorized. We will work with you to understand and resolve the issue quickly and will not recommend or pursue legal action related to your research.

Should legal action be initiated by a third party against you for activities conducted in accordance with this policy, OneSuite will make this authorization known.

Guidelines

Under this policy, “research” means activities where you:

  • Notify us as soon as possible after discovering a potential security issue.
  • Perform analysis only within the defined scope.
  • Avoid privacy violations, degradation of user experience, disruptions to production systems, and destruction or manipulation of data.
  • Use exploits only to the extent necessary to confirm a vulnerability’s presence. Do not use exploits to compromise or exfiltrate data, establish command line access, or pivot to other systems.
  • Provide a reasonable amount of time for us to resolve the issue before disclosing it publicly.
  • Refrain from submitting a high volume of low-quality reports.

Once you have confirmed a vulnerability or encountered sensitive data (e.g., personally identifiable information, financial data, proprietary information), stop your testing, notify us immediately, and do not disclose the data to anyone else.

Scope

This policy applies to the following systems and services:

  • *.onesuite.io

Out-of-scope issues

The following are considered out of scope:

  • Testing of OneSuite customer assets.
  • Model hallucinations.
  • Content moderation issues or solicitation.
  • Security practices mitigated by other controls (e.g., missing security headers).
  • Social engineering, phishing, and physical attacks.
  • Issues like missing cookie flags, low-impact CSRF (e.g., sign-in/sign-out CSRF), content spoofing, or stack traces.
  • Vulnerabilities without demonstrable security implications.
  • DOS/DDOS attacks.
  • Host header injection without impact.
  • Scanner outputs, server error messages (unless they leak critical information).
  • Reports related to outdated browsers or non-critical bugs.

Any systems not explicitly listed above, including connected services, are excluded from this policy. Vulnerabilities in third-party systems should be reported to the vendor per their disclosure policies. If unsure about a system’s scope, contact us at security@onesuite.io before beginning your research.

We may expand this policy’s scope over time.

Recognition

While OneSuite does not offer financial rewards at this time, we value your contributions. As a token of appreciation, we will acknowledge your assistance on our Security Disclosure Acknowledgements page unless you prefer anonymity. We are working towards implementing a bug bounty program to facilitate financial rewards in the future.

Reporting a Vulnerability

Information submitted under this policy will be used solely for defensive purposes. If your findings reveal vulnerabilities affecting the broader user community, we may share your report with the Cybersecurity and Infrastructure Security Agency (CISA). We will not disclose your name or contact information without your permission.

What We Would Like to See

To help us effectively triage and prioritize submissions, please include:

  • The location and potential impact of the vulnerability.
  • A detailed description of the steps required to reproduce the vulnerability (e.g., proof-of-concept scripts, screenshots).
  • Reports in English.

What You Can Expect From Us

When you share your contact information, we commit to the following:

  • Acknowledge receipt of your report within 14 business days.
  • Confirm the existence of the vulnerability and update you on our remediation process, including potential delays.

Please note that OneSuite does not provide payment for submitted vulnerabilities. By submitting a report, you waive any claims for compensation.

Questions

For any questions or suggestions about this policy, contact us at security@onesuite.io.

Last update: 12 November 2024