Confirmit Vulnerability Reporting Policy
Effective Date: January 11th, 2019

This document gives general guidelines on finding and disclosing vulnerabilities in the Confirmit SaaS services.

Services in scope

  • *.euro.confirmit.com
  • *.us.confirmit.com
  • *.confirmit.com.au
  • *.confirmit.ca
  • Applications distributed by Confirmit from our company webpages, Google Play and Apple AppStore

Services not in scope

  • Installations of Confirmit software on servers not operated by Confirmit.
  • Non SaaS sites such as www.confirmit.com, extranet.confirmit.com, and learning.confirmit.com

Rules of engagement

Due to legal agreements with our clients, performing security scans on our SaaS environments is not permitted. We still welcome observations made through normal usage of our applications as well as reports on unexpected behavior. If you obtain data or personal identifiable information without authorization you are required to delete all instances of the data, logically and in some cases physically. You are kindly requested to inform us of this. We request the following from you:

  • You give us, and where relevant our clients, reasonable time to investigate and mitigate findings before sharing any information with others.
  • You do not exploit a security vulnerability for any reason. We will assess the full possible impact of the finding ourselves.
  • You do not target other users, respondents or companies without authorization.
  • Stress testing/denial of service (DoS) is not allowed.
  • Automated scanning for software vulnerabilities is not allowed.
  • You may only access the minimum amount of pages/records needed to verify the finding. Accessing further records, scripted or not, is not allowed
  • Once you have sufficient proof of a vulnerability do not proceed to exploit further but send us proof of what you have found/achieved.
  • When flaws are found they must be reported at the earliest possible instance.

Qualifying vulnerabilities

Examples include SQL injection, XSS, CSRF, Authentication flaws, missing authorization, Server-side code execution.

Non-qualifying vulnerabilities

Confirmit’s flexible platform enables our clients to generate their own content within surveys and reports. As this content is not maintained or owned by Confirmit we can only share findings on such content with our clients, we can’t guarantee remediation, timelines or communication on behalf of our clients.

Other non-qualifying vulnerabilities include:

  • Lack of user self-management in password protected surveys.
  • Bugs requiring the use of browsers that are not on our supported browser list for that application.
  • Bugs requiring user to disable security features or perform unlikely actions.
  • Findings on vulnerabilities that pose no effective risk that can be proven. For example lacking the secure flag on a cookie scoped to a HSTS domain and missing flags in non-sensitive cookies.

Reporting

Send your reports to vulnerabilityreport@confirmit.com. Please use https://www.confirmit.com/.well-known/pgpkey.txt to encrypt your report.

You report should include surveyid/projectid, reportid or similar if applicable.

Only the first reporter will be recognized.

Subscribe to Our Newsletter