Does Scanii have a security vulnerability disclosure program?

Our Commitment to Security

Securing a modern Software as a Service application requires collaboration across the security community. We welcome and value external security research to help us protect our users and maintain the highest security standards.

Whether you're a security researcher, an independent firm, or a developer who's discovered a potential vulnerability, we take every report seriously and will investigate thoroughly.

Scope

In-Scope Domains

The following domains are within scope for security research:

1. www.scanii.com
2. api-us1.scanii.com
3. api-eu1.scanii.com
4. api-eu2.scanii.com
5. api-ap2.scanii.com
6. api-ap1.scanii.com
7. api-ca1.scanii.com

Note: docs.scanii.com uses a third-party service and is not in scope for this program.

Out-of-Scope Issues

Please review these exclusions carefully before submitting a report:

1. Denial of service (DoS/DDoS) vulnerabilities
2. Rate limiting issues
3. Spam reports
4. Social engineering attacks
5. Self-XSS (cross-site scripting requiring user action on their own account)
6. Content or text spoofing without authentication bypass
7. Missing SPF, DMARC, or DKIM records
8. Hyperlink injections happening outside of our product
9. Unconfirmed automated scanner reports without manual verification
10. Server or software version disclosure alone
11. Session management issues when credentials are already compromised (e.g., password reset links not expiring immediately, MFA enrollment not invalidating sessions)
12. Theoretical security concerns without proof of exploitability (e.g., missing headers, missing rate limits)
13. Issues affecting only outdated or unsupported browsers
14. User or merchant enumeration
15. Best practice violations without a valid exploit (e.g., weak TLS cipher availability)
16. Payment processing issues (handled by our third-party payment provider)
17. Reports without a clear malicious exploitation scenario
18. Issues related to gmail aggressively converting text into hyperlinks

Reporting a Vulnerability

How to Submit

1. Email security@uvasoftware.com with:
   • A detailed description of the vulnerability
   • Steps to reproduce the issue
   • Potential impact assessment
   • Your contact information for follow-up questions
2. Response Timeline: We will acknowledge receipt within 48 hours and provide an initial assessment. Our team will investigate the reported vulnerability and determine the severity and impact.
3. Resolution & Disclosure: Once we've addressed the vulnerability, we will coordinate disclosure with you. We will not publicly disclose your information without your explicit consent.

Rewards

We offer monetary rewards for valid security vulnerabilities based on severity:

• Low Severity: $100 USD
• Medium Severity: $250 USD
• High Severity: $500 USD

Reward amounts are determined at our discretion based on impact, exploitability, and affected systems.

Rules of Engagement

To ensure safe and responsible security research, please do not engage in:

• Denial of service or degradation of service attacks
• Spamming or mass exploitation
• Social engineering, phishing, or physical security attacks against Uva Software staff, contractors, or facilities
• Accessing or modifying data belonging to other users
• Any destructive testing that could impact service availability

Coordinated Disclosure

We are committed to coordinated vulnerability disclosure:

• We ask for reasonable time to investigate and remediate reported vulnerabilities before public disclosure
• We will keep you informed throughout the remediation process
• We will credit you for your discovery (with your permission) in any public disclosures

Contact

For security vulnerability reports: security@uvasoftware.com

Thank you for helping us keep Scanii secure.

— The Scanii Team