Does Scanii have a security vulnerability disclosure program?
Securing a modern Software as a Service application is a team sport and we don't expect to excel at it alone so we are formalizing our security vulnerability response process in the hopes to increase outside involvement and, ultimately, faster incident resolution - if and when those happen.
We are grateful for your concern and help.
Whether you are an outside research firm or just a talented developer we will take seriously and follow up, to the best of our abilities, any and all security flaws reported.
We will reward you for your findings.
As a small token of appreciation, reporters of flaws deemed applicable will receive a USD$100 from us.
We make reporting vulnerabilities quick and easy.
- Email email@example.com with the details of the vulnerability and how we can reach you if we have further questions.
- Give us 48 hours to investigate and assess the impact of the claimed flaw (we will not disclose issues until our investigation is completed). After that we will contact you with our findings and remediation plan.
- Once the vulnerability is addressed we will make any necessary disclosures. We will not disclose the reporter's information without explicit consent.
While researching, we'd like to ask you to not engage in:
- Denial of service
- Social engineering (including phishing) of Uva Software staff or contractors
- Any physical attempts against Uva Software property or data centers
In scope domains:
- api.scanii.com, api-us1.scanii.com, api-eu1.scanii.com, api-eu2.scanii.com, api-ap2.scanii.com and api-ap1.scanii.com
Please note that support.scanii.com uses a third party service and is not in scope for this program.
Out of scope issues:
- Denial of service
- Reports of spam
- Social engineering
- Content/text spoofing
- SPF, DMARC or other email configuration issues
- Unconfirmed reports from automated vulnerability scanners
- Disclosure of server or software version numbers
- Session invalidation or other improved-security related to account management when a credential is already known (e.g., password reset link does not immediately expire, adding MFA does not expire other sessions, etc.)
- Perceived security weaknesses without concrete evidence of the ability to compromise a user (e.g., missing rate limits, missing headers, etc.)
- Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
- User/merchant enumeration
- Best practice reports without a valid exploit (e.g. use of “weak” TLS ciphers)
- Issues without a clear malicious exploitation vector
Let's build more secure software together!
The scanii team.