Thank you for working with Onapsis to help ensure we can provide a timely response to any security issues in our products. We are committed to working with researchers to fully understand an issue and providing a resolution to resolve it.
To ensure that we have the information required to properly evaluate a reported issue, Onapsis asks that you include the following information in any bug report:
- The affected product or resource (e.g. OP, CP, Onapsis website) and the version of the software, and the platform you are using (e.g. Windows 7, Debian Linux, Ubuntu Linux, Mac).
- A description of the issue explaining the vulnerability, including the impact to the user(s) or system. This should clearly describe how the issue crosses privilege boundaries. Please also include any prerequisites and steps to get the system to an impacted state.
- Any caveats or conditions required to exploit the issue. Indicate if there are any non-default system settings, custom configurations, required user interaction, or anything else that would limit the attack.
- A proof-of-concept or functional exploit that demonstrates the issue. If a proof-of-concept is not available, please include any relevant logs generated from your testing.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption of our products.
The following list of security issues won’t be accepted as a valid report.
- Vulnerabilities in older application/package/library versions.
- Security-headers-related issues.
- Transport Layer Security configuration issues.
- Brute force attacks.
- Attacks that require social engineering.
During the evaluation process, Onapsis will keep you updated on our status for resolving the issue.
If you are an Onapsis customer or partner, please use the Customer Portal to submit a service request for any security vulnerability you believe you have discovered in Onapsis products. If you are not a customer or partner, please email [email protected] with your discovery. We encourage using email encryption with our encryption key when emailing Onapsis Security.