Hi there! This document is no longer accurate, for the latest information on our vulnerability disclosure program please go here.
Securing a modern Software as a Service application is a team sport and we don't expect to excel at it alone so we are formalizing our security vulnerability response process in the hopes to increase outside involvement and, ultimately, faster incident resolution - if and when those happen.
Whether you are an outside research firm or just a talented developer we will take seriously and follow up, to the best of our abilities, any and all security flaws reported.
As a small token of appreciation, reporters of flaws deemed applicable will receive a USD$100 Amazon gift certificate from us.
While researching, we'd like to ask you to not engage in:
* Denial of service
* Social engineering (including phishing) of Uva Software staff or contractors
* Any physical attempts against Uva Software property or data centers
Out of scope issues:
* Client side issues caused by outdated email clients and browsers
* SPF, DMARC or other email configuration issues
* Lack of DNSSEC
* Password or account recovery policies, such as reset link expiration or password complexity
* Disclosure of known public files or directories, (e.g. robots.txt)
* SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)
* Self-XSS and issues exploitable only through Self-XSS
* Content spoofing / text injection
* Issues without a clear malicious exploitation vector
Let's build more secure software together!
The scanii team.
Last updated on 07/24/2017.