Hi there! This document is no longer accurate, for the latest information on our vulnerability disclosure program please go here.

Scanii's security vulnerability response program

Securing a modern Software as a Service application is a team sport and we don't expect to excel at it alone so we are formalizing our security vulnerability response process in the hopes to increase outside involvement and, ultimately, faster incident resolution - if and when those happen.

We are grateful for your concern and help.

Whether you are an outside research firm or just a talented developer we will take seriously and follow up, to the best of our abilities, any and all security flaws reported.

We will reward you for your findings.

As a small token of appreciation, reporters of flaws deemed applicable will receive a USD$100 Amazon gift certificate from us.

We make reporting vulnerabilities quick and easy.

  1. Email security@uvasoftware.com with the details of the vulnerability and how we can reach you if we have further questions.
  2. Give us 24 hours to investigate and assess the impact of the claimed flaw (we will not disclose issues until our investigation is completed). After that we will contact you with our findings and remediation plan.
  3. Once the vulnerability is addressed we will make any necessary disclosures. We will not disclose the reporter's information without explicit consent.

While researching, we'd like to ask you to not engage in:
* Denial of service
* Spamming
* Social engineering (including phishing) of Uva Software staff or contractors
* Any physical attempts against Uva Software property or data centers

Out of scope issues:
* Client side issues caused by outdated email clients and browsers
* SPF, DMARC or other email configuration issues
* Lack of DNSSEC
* Password or account recovery policies, such as reset link expiration or password complexity
* Disclosure of known public files or directories, (e.g. robots.txt)
* SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)
* Self-XSS and issues exploitable only through Self-XSS
* Content spoofing / text injection
* Issues without a clear malicious exploitation vector

Let's build more secure software together!

The scanii team.

Last updated on 07/24/2017.