Vulnerability Disclosure Policy

Introduction

Actionstep is committed to keeping its systems, network and services secure. Despite the measures we take, the presence of vulnerabilities will always be possible. When such vulnerabilities are found, we’d like to learn of them as soon as possible, allowing us to take swift action to shore up our security.

Scope

Under Actionstep’s Vulnerability Disclosure Policy, you can search for vulnerabilities, provided you don’t:

  • Execute or attempt to execute a Denial of Service (DoS) attack.
  • Make any changes to a system.
  • Install malware of any kind.
  • Social engineer our personnel or customers (including phishing).
  • Scan or run tests in a manner that would degrade the operation of the service or negatively affect our customers in any way.
  • Do not put a backdoor in the system. Neither with the purpose to show the vulnerability. Putting a backdoor will bring damage to the safety of the system even more.
  • Do not apply any changes or delete data in the system. In case your finding requires a copy of the data from the system, do not copy more than your investigation requires. If one record is enough, do not copy more.
  • Do not attempt to penetrate the system more than required. In case you successfully penetrated the system, do not share gained access with others.
  • Do not utilise any brute force techniques (e.g. repeatedly entering passwords) in order to gain access to the system.
  • Don’t use techniques that can influence the availability of our online services.
  • Run tests on third party applications, websites or services that integrate with or link to Actionstep.
  • Scan or attack the Amazon Web Services infrastructure or attempt to do so.
  • Make use of any kind of automated scanning software.

Breaching the above restrictions may result in Actionstep launching an investigation and/or taking legal action to the greatest extent of Actionstep’s legal obligation and rights or that of our partners and customers. If you do discover a vulnerability, please contact us as soon as possible by sending an email to InformationSecurity@actionstep.com.

What we ask of you

  • Submit your vulnerability report as soon as possible after discovery.
  • Do not abuse or exploit discovered vulnerabilities in any way for any purpose.
  • Do not share discovered vulnerabilities with any entities or persons other than Actionstep and its employees until after Actionstep has confirmed the vulnerability has been resolved.
  • Provide us with adequate information to enable us to investigate the vulnerability properly. (To be able to investigate properly, we will need to be able to efficiently reproduce your steps).
  • Provide us with information required to contact you (at least telephone number or email address).

What we promise

  • We will respond to your report within 5 business days of receipt, with our evaluation of the report and an expected resolution date.
  • We will keep you regularly informed of our progress toward resolving the vulnerability.
  • If you have followed the above instructions, we will not take any legal action against you regarding the report.

Out of scope vulnerabilities

  • Vulnerabilities affecting users of outdated or unsupported browsers or platforms.
  • Issues that require unlikely user interaction.
  • Clickjacking/UI Redressing.
  • Reflected file download.
  • Verbose error pages (without proof of exploitability).
  • SSL/TLS Best Practices.
  • Incomplete/Missing SPF/DKIM.
  • Fingerprinting/banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Content spoofing (text injection).
  • Tab nabbing.
  • OPTIONS HTTP method enabled.
  • Recently disclosed 0-day vulnerabilities.
  • Presence of autocomplete attribute on web forms.
  • Use of a known-vulnerable library (without proof of exploitability).

Your privacy

Any report submitted in relation to this Vulnerability Disclosure Policy will be handled with great care with regards to the privacy of the reporter. We will not share your personal information with third parties without your permission, unless we are legally required to do so.