Updated: June 27, 2017

At Cofense, Inc., we take the security of our users’ data very seriously. If you have discovered or believe you have discovered potential security vulnerabilities in a Cofense Service or Product, we encourage you to disclose your discovery to us as quickly as possible in accordance with this Responsible Disclosure Policy.

We will work with you to validate and respond to security vulnerabilities that you report to us. Because public disclosure of a security vulnerability could put the entire Cofense’s user community at risk, we require that you keep such potential vulnerabilities confidential until we are able to address them. We will not take legal action against you, provided that you discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy.

Responsible Disclosure Policy

While working to identify security vulnerabilities, Cofense asks that you:

• Share any issues that you discover with us via security@cofense.com, as soon as is practical
• Provide Cofense reasonable amount of time to review and address reported issues before making them public (minimum 45 days after verification of vulnerability)
• Do not attempt to access or modify any user data that is not your own.
• Please do nothing to degrade the performance of our services (e.g. via automated scanning, brute forcing, or denial of service attacks)
• Do not post, transmit, upload, link to, send or store malware, viruses or similar harmful software.
• Report issues defined within scopes below.
• Check our list of non-qualifying vulnerabilities to make sure that you aren’t spending time chasing down a vulnerability that isn’t going to qualify for our Security Researcher Hall of Fame (bottom of page).

Scope

Vulnerabilities affecting the following domains are in scope and may qualify for a bounty:

• Cofense PhishMe
• Cofense Triage License Server
• Cofense ThreatHQ API Server
• Cofense Reporter

Reporting Security Vulnerabilities

If you believe you have discovered a security vulnerability issue, please share the details with Cofense by sending an email to security@cofense.com. In reporting a potential security vulnerability issue please include the following:

• An adequate description and information regarding the security vulnerability that will allow Cofense to reproduce your steps and the issue,
• Proof of Concept
• How the attack could be executed in a real world scenario to compromise user accounts or data
• Your email address
• Your name and Twitter handle as you would like it to appear in our Security Researcher Hall of Fame (if selected).

Cofense will acknowledge receipt of your report within One Business Day, provide you with an estimated timetable for resolution of the vulnerability, notify you when the vulnerability is fixed, and, with your permission, publicly acknowledge your responsible disclosure.

Qualifying Vulnerabilities

Examples of qualifying vulnerabilities likely to be eligible for Hall of Fame recognition include:

• Cross-Site Scripting (XSS) affecting supported browsers (Chrome/latest, Firefox/latest, Safari/6, IE/10+)
• Cross-Site Request Forgery (CSRF)
• SQL Injection
• Missing/Broken Authentication
• Remote Code Execution
• Privilege Escalation

Non-Qualifying Issues

Not all issues are in the scope of our program, including some issues that may have been accepted by other programs. Please be aware of these non-qualifying issues before beginning your research and submitting any reports.

Examples of non-qualifying vulnerabilities (not eligible for a shout-out in our Hall of Fame) include:

• Reports from automated tools or scanners
• Theoretical attacks without actual proof of exploitability
• Denial of Service attacks
• Brute force attacks (e.g. on passwords or tokens)
• Username or email address enumeration
• Spamming
• Issues with third-party applications
• Issues with domains not owned by Cofense Inc (see the scope above)
• Social engineering of Cofense staff or users
• Vulnerabilities obtained through compromising Cofense user or employee accounts
• Attacks involving any user accounts not created by you
• Physical attacks against Cofense Inc offices or data centers
• Attacks involving physical access to a user’s device, or involving a device or network that is already seriously compromised (e.g. man-in-the-middle attacks)
• Missing security headers that do not lead directly to a vulnerability
• Click-jacking
• Content Spoofing
• Cookies missing secure/Http only
• Bugs that rely on an unlikely user interaction (i.e. the user effectively attacking themselves)
• Issues related to password and account recovery policies (e.g. password complexity requirements)
• Issues related to board and organization invitation policies
• Issues related to having auto-complete enabled (i.e. not explicitly disabled) on password inputs
• Disclosure of tools, libraries used by Cofense and/or their versions
• Open redirects on domains other than Cofense.com
• Issues that are the result of a user doing something silly (like sharing their password publicly)
• Attacks affecting browsers not explicitly supported by Cofense
• Issues related to e-mail coming from @Cofense.com addresses (e.g. things related to DMARC and SPF)
• Domain Name System Security Extensions (DNSSEC) configuration suggestions
• HTTP/HTTPS/SSL/TLS security header configuration suggestions

Recognition

Researchers that responsibly disclose in accordance with this Responsible Disclosure Policy are eligible for inclusion in our Security Researcher Hall of Fame. Whether or not a security vulnerability report is in compliance with this Responsible Disclosure Policy and a Researcher is eligible for inclusion in our Hall of Fame is in our sole discretion. Cofense does not compensate researchers for identifying potential or confirmed security vulnerabilities. Any requests for monetary compensation or any other type of consideration will be deemed in violation of this Responsible Disclosure Policy.

PGP Key

If you feel the email should be encrypted, our PGP key is available below.