Report A Vulnerability

If you believe you have found a security issue that meets Plumsail’s definition of a vulnerability, please submit the report to our security team via one of the methods below.

We are unable to respond to bulk reports generated by automated scanners. If you identify issues using an automated scanner, it is recommended that you have a security practitioner review the issues and ensure that the findings are valid before submitting a vulnerability report to Plumsail.

If you are a customer:

• Submit a ticket to our support team

If you are a security researcher:

• Submit a report through our bug bounty program;
• Email security@plumsail.com

Please include the following information in your report:

• Type of issue (cross-site scripting, SQL injection, remote code execution, etc.)
• Product and version with the bug or a URL if dealing with a cloud service
• The potential impact of the vulnerability (i.e. what data can be accessed or modified)
• Step-by-step instructions to reproduce the issue
• Any proof-of-concept or exploit code required to reproduce

Definition of a Vulnerability

Plumsail considers a security vulnerability to be a weakness in one of our products or infrastructure that could allow an attacker to impact the confidentiality, integrity, or availability of the product or infrastructure.

We do not consider the following types of findings to be security vulnerabilities:

• Presence or absence of HTTP headers (X-Frame-Options, CSP, nosniff, etc.). These are considered security best practices and therefore we do not classify them as vulnerabilities.
• Missing security-related attributes on non-sensitive cookies. Plumsail products may set certain security-related attributes on cookies used on our applications. The absence of these headers on non-sensitive cookies is not considered a security vulnerability.
• Exposed stack traces. We do not consider stack traces by themselves to be a security issue. If you find that a stack trace details personally identifiable information or user generated content, please submit a report detailing the issue.
• Content spoofing by administrative users. We allow administrators to inject HTML into specific areas of our products as a customization feature and do not consider that functionality to be a vulnerability.
• Auto-complete enabled or disabled

Public Disclosure

At Plumsail, one of our values is Open Company, No Bullshit, we believe that vulnerability disclosure is a part of that value. We hold ourselves to the security bug fix service level objectives, and will accept disclosure requests in the bug bounty program after the issue has been fixed and released in production. However, if the report contains any information regarding a customer instance or data the request will be rejected. We ask that you give us reasonable notice and wait until the issue will be fixed.

Safe Harbour

When conducting vulnerability research according to this policy, we consider this research to be:

• Authorised in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
• Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
• Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
• Lawful, helpful to the overall security of the Internet, and conducted in good faith.
• You are expected, as always, to comply with all applicable laws.
• If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us at security@plumsail.com and we will be happy to answer your questions.