Vulnerability Disclosure Policy

Policy

Saasu values and appreciates the contributions from the cybersecurity community in improving and maintaining our systems to meet cybersecurity standards.

Saasu will review and accept reports by the community submitted by following the criteria listed below. Saasu will not respond to any vulnerability reports from the exclusions list or vulnerabilities that have been reported previously. 

Scope

Reports submitted to Saasu for https://secure.saasu.com are in scope and will be accepted for evaluation.

Exclusions

Saasu retains the right to determine whether to accept a report submitted as a vulnerability disclosure.

Saasu will reject vulnerabilities with minimal security impact or low exploit-ability, vulnerabilities beyond Saasu’s control, vulnerabilities discoverable through automated scans which have not been verified manually, vulnerabilities already reported or vulnerabilities related to a violation of the program requirements.

Out of scope vulnerabilities include:

  1. Vulnerabilities demonstrated where the attacker has direct access to the victim’s device for demonstration purposes eg: direct access to cookies
  2. Click-jacking on pages with no sensitive actions;
  3. CSRF without a demonstrated vulnerability;
  4. Password and account recovery policies, such as reset link expiration or password complexity;
  5. Presence of autocomplete attribute on web forms;
  6. Username/user id enumeration;
  7. Vulnerabilities only affecting outdated or unpatched browsers;
  8. SSL/TLS configurations without a demonstrated vulnerability;
  9. Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure;
  10. Denial of service or resource exhaustion;
  11. Missing HTTP-only or secure cookie flags unrelated to a vulnerability;
  12. Missing security headers unrelated to a vulnerability;
  13. Attacks against network and security infrastructure; and
  14. Email spoofing issues (e.g., absence or misconfiguration of SPF, DKIM, DMARC).

Program Requirements

Saasu would not pursue legal action against participants who:

  1. Submit in-scope reports and engage in testing/research of systems without harming Saasu, its customers, employees, or third parties;
  2. Do not compromise the privacy of Saasu’s customers, employees, or other individuals (e.g. by accessing personal information);
  3. Do not conduct social engineering, spam, or phishing attacks;
  4. Do not test the physical security of any property of Saasu or third parties;
  5. Do not conduct denial-of-service or resource-exhaustion attacks;
  6. Comply with applicable criminal laws;
  7. Adhere to other applicable laws;

You agree that Saasu may disclose the information in a report you submit through this website. Saasu will consider any request from a researcher to make a disclosure but reserves the right to deny such requests.

How to Submit a Report

To submit a report to Saasu, please email the report to service@saasu.com accepting the disclousure guidelines in this policy by including the sentence “I have read and agree to the vulnerability disclosure policy and terms outlined by Saasu.”

Expectations for Researchers:

  1. Well-written reports in English will have a higher chance of faster response and resolution;
  2. Reports that include proof-of-concept code enable Saasu to better understand and triage the submitted information;
  3. Reports that include only output from programs may receive lower priority;
  4. Participating in this program does not give you any right to intellectual property owned by Saasu or a third party;
  5. Do not report the same vulnerability more than once for Saasu domains.
  6. Please include how you found the vulnerability; if possible include any potential remediation(s); and
  7. Please do not include any personal information.

How Saasu pays a bounty

We pay bounties in AUD or USD via PayPal only.

  1. We notify you of the bounty payable in either AUD or USD.
  2. You invoice Saasu Pty Ltd for the currency amount preferred including your PayPal payment email address.
    (Please do not charge fees or an amount that differs to the exact bounty as accounts will not process the request).
  3. We send payment via PayPal.