EMPTOR, INC. VULNERABILITY DISCLOSURE POLICY
Effective date of this Vulnerability Disclosure Policy is January 6, 2022 (v1.0).
Scope of Activities
This policy only applies to Emptor’s services served from the *.emptor.io domain and all subdomains. Any services not hosted or served from this domain are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems hosted/managed by third-party vendors fall outside this policy’s scope, and should be reported directly to the vendor according to their vulnerability disclosure policy (if applicable). If it is unclear whether a system is in scope, Emptor should be contacted directly prior to starting research.
The following issue types are out of scope, but still may and are encouraged to be reported. However, Emptor does not guarantee you will receive a response for reports of these types:
- Reports of non-exploitable vulnerabilities.
- Volumetric vulnerabilities, such as Denial of Service (DoS/DDoS) attacks; restrict usage of automated testing tools to no more than ten (10) requests per second.
- Missing security headers (e.g., Content-Security-Policy, X-Frame-Options, Feature-Policy, HTTP Strict Transport Security, HTTP Public Key Pinning, X-XSS-Protection, Referrer-Policy)
- Email-related security configurations (e.g., SPF, DKIM, DMARC)
Emptor requests that security researchers provide a non-destructive, non-damaging proof of exploitation. It is also requested that security researchers do not publicly release the details of such issues until Emptor has had sufficient time (a minimum of 20 business days, as detailed in the Communication and Reporting section below) to review and mitigate the reported issues. Additionally, any data retrieved during research must be securely deleted as soon as it is no longer required (the vulnerability has been rectified).
The following activities and methods are not allowed, though the following list should be considered non-exhaustive:
- Violating any applicable laws and regulations
- Publicly disclosing vulnerabilities without approval by Emptor.
- Copying, changing, or deleting data or systems.
- Causing damage, abuse, and/or spamming.
- Placing malware, backdoors, or other unauthorized code.
- Executing DoS or resource exhaustion attacks and causing interruption or impediment of services.
- Using Spam, Phishing, Vishing, Smishing, or other Social Engineering techniques.
- Brute-forcing credentials of users.
- Exposing, deleting, or modifying personal data
Communication and Reporting
Emptor’s Security team is committed to addressing all security issues in a responsible and timely manner. The following steps should be followed when submitting a vulnerability report:
- Please submit a detailed description of the issue, written in English, along with the steps to reproduce it (screenshots or screen recordings are appreciated). This report may be submitted using the following methods:
- The Vulnerability Disclosure Form (preferred) may be submitted anonymously (anonymous submissions will not receive further contact after initial submission of the report).
- Plain-text email (not encrypted with PGP) to firstname.lastname@example.org
- If contact information is provided, please expect a reply via email, usually within three (3) business days. If seven (7) business days have passed since submitting the report, please send a follow-up email.
- Vulnerability reports may take time to triage and remediate. Please provide Emptor a reasonable amount of time to resolve the issue before any disclosure to the public. If/when Emptor replies to the report, Emptor will discuss the length of time required for remediation before public disclosure. Regardless of any reply to the report, please ensure a minimum of 20 business days from the time of submission of the report before any disclosure to the public.
- Emptor will send notifications of any progression milestones as soon as possible. Emptor may request feedback or confirmation that the solution proffered covers the vulnerability reported.
Information submitted under this policy will be used for defensive purposes only. Emptor will not share your name or contact information without explicit permission, unless required by law.
Rewards, Bug Bounty, or Compensation
Currently, Emptor does not offer a paid bug bounty program, and does not offer or guarantee compensation for reporting security vulnerabilities. Any such requests for rewards or compensation, either implicitly or explicitly, including the use of vulnerability marketplaces, will be considered a violation of this policy. By submitting a vulnerability report, it is acknowledged that there is no expectation of payment or compensation, and that any future pay claims related to the submission are waived.
In the event of the discovery of an extraordinary vulnerability, Emptor may, at its sole discretion, offer remuneration in an amount and manner that Emptor deems appropriate for the work performed in locating vulnerabilities and improving the security of Emptor’s products and services. Such remuneration is not considered “compensation” under this policy, and must not be expected or requested.
This policy does not permit security researchers to act in any manner that is inconsistent with any and all applicable legal or regulatory compliance requirements, as well as in any manner that violates any applicable laws and regulations.