Vulnerability Disclosure Policy

Outpost24 is committed to resolving security vulnerabilities in our products and services. We take all necessary steps to minimize customer risk, provide timely information, and deliver vulnerability fixes and mitigations required to address security threats.

Outpost24 follows the Responsible Disclosure guidelines as laid out in ISO 29147 for any externally reported vulnerabilities or security flaws. These standards facilitate open communication between security researchers and vendors, clearly define responsibilities between the involved parties, and protect all parties from exploitation whenever possible.

Reporting a vulnerability

If you believe you have discovered a vulnerability in an Outpost24 product, service, or infrastructure that has not been resolved, please email a high-level description of your findings to security@outpost24.com. Encrypt your findings using our PGP key to prevent this critical information from falling into the wrong hands. Please do not take advantage of the vulnerability or reveal the problem to others until it has been resolved and we mutually agree on public disclosure of the issue.

To expedite verification and handling of the finding, please provide the following information in the initial communication:

  • Your preferred contact information
  • Product name, version number, IP address, or the URL of the affected system
  • Date the vulnerability was observed
  • Description of the vulnerability
  • Instructions to duplicate the vulnerability

Please note that we do not permit the following types of security research:

  • Actions that may negatively affect Outpost24 products, or its users (Spam, Denial of Service, Brute Force attacks, etc.)
  • Accessing any data that does not belong to you
  • Accessing or attempting to access any internal systems that belong to Outpost24
  • Corrupting or otherwise damaging any data that does not belong to you
  • Social engineering
  • Violating any laws or breaching any agreements in order to discover vulnerabilities

Mitigation and remediation

If the report is confirmed valid, Outpost24 will move forward with providing remediation or mitigation. Outpost24 will keep the reporter up-to-date on progress until the issue has been fully addressed to the satisfaction of all parties. Outpost24 will not respond if the report is previously known or confirmed invalid.

Outpost24 asks that any vulnerabilities are reported in accordance with the policies of Coordinated Vulnerability Disclosure (CVD) and are not reported or revealed publicly until remediated or sufficient time has elapsed in accordance with CVD. We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.

What we promise:

  • We will confirm receipt of your report within 3 business days and respond in a timely manner with an update or request for additional information,
  • If you have followed the instructions above, we will not take any legal action against you regarding the report,
  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission,
  • In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).

Reward

Reward decisions are up to the discretion of Outpost24, but are generally based on severity per the Common Vulnerability Scoring Standard (CVSS).