How to Report a Security Issue
ISO 27001 is the international standard that is recognized globally for managing risks to the security of information we hold and verifies Vardot's world-class security measures that enable us to:
- Protect client and employee information
- Manage risks to information security effectively
- Achieve compliance with regulations such as the European Union General Data Protection Regulation (EU GDPR)
- Protect the company’s brand image
Vardot takes the security of our products and procedures seriously.
We educate our staff on security best practices and our development process includes quality assurance such as peer review, security reviews, and automated security audits to help ensure our products are high quality and secure. However, like all complex software products, it is possible that a security vulnerability may be present in one of our products.
If you discover a security issue in a Vardot product or hosted service, we ask that you report it to us confidentially in order to protect the security of our services.
Vardot's security team will respond to confirm receipt of your message, review and plan the mitigation of the issue appropriately, as well as set a timeline for a new release or patch.
We do not currently have a bug bounty program in place, however, we are happy to credit researchers with their name and a link to an address of their choosing (e.g. Twitter or personal website) on our Hall of Fame below.
We follow responsible disclosure and will credit researchers when a security issue has been identified and mitigated while adhering to the following specifics.
- You may not use automated tools in your research without our explicit consent. The use of automated tools may result in an investigative action or your IP(s) being blocked.
- You make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research.
- You give us reasonable time to respond to your report and carry out remediation.
- We credit the first researcher to report an issue. Additionally, we reserve the right to only acknowledge researchers who discover issues in Vardot products or hosted services, if we determine the issue to be of high or critical severity, or if there has been continued research or contributions made by the reporter.
- We will credit you with your name and a "no-follow" link to the address of your choosing (e.g. Twitter or personal website).
- We are not interested in reports on the following issues:
- CSRF in forms available for anonymous user use (e.g. the contact form)
- Displayed server software banners or other version information
- Issues that are being handled in public issue queues of any of our OSS projects in use
- Click-jacking on vardot.com domains that do not involve authenticated user accounts
- Intentional security losing of DNS authentication records such as missing or incorrect SPF records, or DMARC policies
- Missing HTTP security headers. (e.g. X-Frame-Options)
- Descriptive error messages
- Username / email enumeration
- Disclosure of known public files. (e.g. robots.txt)
- Broken link hijacking (BLH) on non-production webpages
- We will not bring any lawsuit or begin a law enforcement investigation into you if you follow these parameters.
What details should you include when reporting a security issue?
Please provide as many relevant details as you can. In particular:
- What versions of the software are involved
- What steps someone can follow to go from an initial installation of that software to a point where they see the vulnerability
- Any patches or steps to mitigate the problem
What if the issue is in some other software?
Vardot relies on open source software such as Drupal, Varnish, Memcache, Nginx, Apache, MySQL, and many others. If you identify a vulnerability in one of our products that is actually in the underlying software then you can report the issue to us but could also report it to the security team for that project. For Drupal see How to report a security issue in Drupal. If you report an issue to Vardot and the problem lies with another product we will also contact and coordinate with their team prior to making any release.
Thanks to Acquia.com for the related responsible security issue reporting procedure, which this procedure is influenced by.
Security Hall of Fame
Vardot would like to thank the following people who have responsibly disclosed vulnerabilities to us: