Responsible Disclosure Policy
The information on this page is intended for security researchers interested in reporting security vulnerabilities to the Transporeon security team. If you are a customer and have a question about security or a password or account issue, please contact us through the regular support channels.
Transporeon regularly reviews its Responsible Disclosure Policy from a legal and operational perspective.
Security is core to our values, and we value the input of security researchers acting in good faith to help us maintain a high standard for the security and privacy for our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as how we handle your report.
How to Contact Us
Our official communication channel is via the form. Please click on the "Report Vulnerability" button and report the problem. The issues are triaged by a Security Analyst before being escalated to the appropriate team.
Please, write your report in English or German and provide us with enough information to reproduce the vulnerability. Please include your contact information so we can contact you directly. If you do not wish to be contacted, that is acceptable but may impede our ability to investigate and correct the vulnerability.
Safe Harbor
When conducting vulnerability research according to this policy, we consider this research to be authorized, lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through our Official Channel before going any further.
Ground Rules
To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, we ask that you:
- Play by the rules. This includes following this policy, as well as any other relevant agreements.
- Do not violate the privacy of others, personal data protection regulations, do not disrupt our systems, destroy data, and/or harm user experience;
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope.
- Only interact with accounts or devices you own or with explicit permission from the owner.
- Make a good faith effort to avoid interruption or degradation of our service.
- If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept.
- Cease testing and submit a report immediately if you encounter any user data during testing, such as personally identifiable information, personal healthcare information, credit card data, or proprietary information.
- Do not attempt to gain physical access to Transporeon property or data centers.
- Do not attempt to execute Denial of Service attacks.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Report any vulnerability you’ve discovered promptly.
- Do not attempt to blackmail by making a financial demand before disclosing details of the vulnerability.
- Use only the Official Channels to discuss vulnerability information with us.
Disclosure
You are not allowed to publicly discuss or publish any vulnerability before it has been fixed and you have received explicit permission from us to do so.
Scope
This policy covers all Transporeon services, products or web properties.
Please note! Most reports we receive have little or no security impact or are already known. To avoid a disappointing experience when contacting us, please take a moment and consider if the issue you want to report has a realistic attack scenario.
More specifically, we ask you to not submit issues regarding:
- Theoretical vulnerabilities without any proof or demonstration of the real presence of the vulnerability.
- Findings from automated tools without providing a Proof of Concept.
- Vulnerabilities requiring MITM, or physical access to a user’s browser, or a smartphone, or email account, as well as issues on rooted or jailbroken smartphones.
- Missing or weak security-related HTTP headers.
- Non-sensitive data disclosure, for example server version banners.
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
- Self-XSS.
- Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
- Host header injection, unless you have confirmed that it can be exploited in a practical attack.
- Previously known vulnerable software or libraries without a working Proof of Concept.
- Rate limiting or bruteforce issues on non-authentication endpoints.
- Denial of Service.
- CSV/formula injection.
- Flash based exploits.
- Clickjacking on pages with no sensitive actions.
Actions you can expect from us:
When working with us according to this policy, you can expect us to:
- Extend Safe Harbor for your vulnerability research that is performed according to this policy;
- Report any vulnerability you’ve discovered promptly;
- Work with you to understand and validate your report, including an initial response to the submission within a reasonable timeframe;
- Work to remediate discovered vulnerabilities in a timely manner;
- Notify you when the vulnerability is resolved, so that it can be re-tested and confirmed as remediated.
Transporeon appreciates the efforts of security researchers in identifying vulnerabilities and cooperating with us to ensure the safety of our customers. We are grateful to you for doing your best to improve the security and safety of our products and the Internet community as a whole.