Responsible Vulnerability Disclosure Program
About this program
Here at InvGate, we are committed to protecting our customers and their data. As part of our overall security strategy, InvGate welcomes the contributions of external security researchers who find vulnerabilities to help us improve the security posture of our systems and customers. If you've discovered a security issue you believe Invgate should be aware of, we would love to work with you. InvGate recognizes and celebrates those who contribute valuable and impactful findings via the product’s changelogs - researchers can choose whether or not their contributions to InvGate’s security are public. Our program applies to vulnerabilities found in our in-scope systems and products outlined below. By working with us collaboratively and confidentially, you will be acknowledged for your valid findings.
Program Rules
The following testing approaches and attacks are not scoped as part of this program:
- Data exfiltration as a direct result of software vulnerabilities; if such vulnerability is found, researchers must contact the InvGate’s InfoSec team before exploiting it and await instructions. Unauthorized data exfiltration prior to discussing a procedure with InvGate’s InfoSec team will constitute terms for legal actions.
- Distributed or general Denial of Service attacks, though rate limiting and throttling findings might be accepted depending on circumstances and technical details of the finding itself.
- Phishing, smishing, vishing to InvGate employees.
- Attempting to obtain information from other user accounts. If you believe you've found an issue that may result in compromising the data or session of another user account, you must test against your own testing accounts and not against any InvGate customer environment, and notify us immediately.
- Using automation to brute force login credentials.
- Manually or using automation to scrape large sections of this site to enumerate user IDs, usernames, emails, or other user/employee information.
- Reports around lack of security best practices such as HSTS headers, CSP, CORS without actual exploitation evidence.
Testing Account Rules
Prior to performing testing on the site, you must observe and agree to the following rules:
- Attempts to gather information from an account other than the account being used should be limited to accounts you control. You may not at any time attempt to gather information from an account you do not directly own. If you want to test gathering information or escalating to another user, please create one demo account for each of these purposes.
- For all requests, please use the header X-InvGate-VulnerabilityResearcher:(e-mail address) to clearly indicate your account is RVDP-related. This helps us troubleshoot possible issues resulting from the testing you are performing.
Safe Harbor
1. Safe Harbor Terms
To encourage security research and responsible disclosure of security-related vulnerabilities, hereby InvGate states that will not pursue civil or criminal action nor send notice to law enforcement forces for accidental or good faith violations of InvGate's Responsible Vulnerability Disclosure Program's Terms and Conditions ("the RVDP policy"). Given that InvGate has an international presence, the following countries' legislation may apply: United States of America, Argentina and the European Union.
2. Third-Party Safe Harbor
If you submit a report through our RVDP program which affects a third-party service that InvGate employs or does not employ, by default InvGate will limit the shared information with any affected third-party. InvGate may share non-identifying content from a researcher's report with an affected third-party, only after notifying the researcher(s) our intention to submit the content, and after getting the third-party's written commitment that they will not pursue legal action against researchers or initiate contact with law enforcement based on either our report or the researchers'. InvGate will not share your identifying information with any affected third-party without first getting your written permission to do so, in compliance with GDPR and local Argentinian and US laws.
2.A. InvGate does not authorize out-of-scope testing on behalf of third parties, and such testing is beyond the scope of our policy. InvGate forbids the research of third-party products, services, infrastructure et al performed through the unlawful and non-compliant use of any of InvGate's products, services, infrastructure. Moreover, InvGate forbids using any authentication artifact (included but not limited to passwords, API tokens and credentials) that is found, leaked, or obtained as a result of either RVDP-compliant or non-RVDP-compliant research performed targeting InvGate's products, services, infrastructure and any other asset owned by InvGate, to perform security and vulnerability research on the affected third-party.
As an example, if an API token created and used by InvGate targeting a particular third-party is found as a result of research within InvGate's RVDP scope, said API token must not be used to perform security vulnerability research on the third-party's products, services or infrastructure. Legal action may be initiated, should the researcher fail to comply with this.
3. Limited Waiver of Other Site Policies
To the extent that an individual's security research activities are inconsistent with certain restrictions in our relevant site policies but at the same time are consistent with the terms of our RVDP program, InvGate temporarily waives those restrictions for the sole and limited purposes of permitting your security research under this RVDP program prior to an internal review with InvGate's Legal department.
Submission Recognition Rules
InvGate reserves the right to recognize you for the findings you've submitted to us. As part of this agreement, you agree not to disclose an issue before a remediation is deployed and to obtain prior authorization before any disclosure. Failure to adhere to these rules may result in a ban from this program or other actions.
How to Submit Your Report
All reports should be directed to rvdp@invgate.com. Please state the following data on your e-mail:
- Your full name or pseudonym (mandatory)
- Whether or not you want to be publicly acknowledged on our product’s changelogs
- Github/LinkedIn/Mastodon/X profile (optional)
To ensure that InvGate can properly review and validate your findings, please adhere to the following guidelines for your submission:
- Description: Provide a clear description of your finding.
- Reproduction Steps: Include detailed steps to reproduce the issue.
- Account Information: If applicable, provide the account name used for testing. This helps us verify account-specific states and troubleshoot the issue, including the user role type (e.g., user, manager, admin).
- Impact Description: Describe the impact on our environment, customers, data, or employees.
- Evidence: Include screenshots, videos, log files or proof of concept code to help us reproduce the issue
- Browser Details: Specify the web browser version or 'User-Agent' used during testing, as this can affect the endpoint or workflow.
- Software and OS: When applicable, list the software versions and operating systems impacted.
Public Recognition Eligibility
- The researcher agrees to the rules, terms, and conditions set forth in this document.
- The researcher is not a current InvGate employee, nor have they been an employee within six months prior to submitting a report.
- The researcher must be the first person to report this issue.
- The researcher will not attempt to access personal information belonging to another user, including by exploiting a vulnerability.
- The researcher will not perform attacks or security testing against vendors, partners, or third parties that may be in use
Scope
This section lists the assets, websites, products, and services that are considered in-scope and out-of-scope. This list is subject to change without notice and should be reviewed prior to submitting a finding. Anything not listed here is considered out of scope.
In-scope assets
- *.invgate.com (hosts and DNS records)
- *.invgate.net (hosts and DNS records)
- Public APIsInvGate Service ManagementInvGate Asset Management
- InvGate Asset Management (IGAM) agentWindowsLinuxmacOSiOSAndroid
- Mobile application (iOS)InvGate Service Management
Out-of-scope vulnerabilities
- TRACE, TRACK, or OPTIONS HTTP methods being enabled.
- Non-exploitable clickjacking findings such as pages missing X-Frame-Options (unless exploitation is proven).
- Logical bugs that represent no immediate or exploitable security risk.
- Cross-site request forgery reports of features with behavior similar to CSRFs (e.g. webhooks).
- Denial of Service attacks/weaknesses.
- Generic best practice concerns without demonstrable exploitation.
- Credential stuffing and account takeover over phishing and other means external to InvGate products.
- Spam or social engineering methods.
- Password complexity-related concerns.
- Mobile application crashes that don’t lead to a security escalation issue or abuse.
- Vulnerabilities requiring jailbroken devices or physical access to an unlocked device to exploit.
If you believe you've found an issue that affects an asset belonging to us but isn't included in the scope here, please contact us.
Severity Score
The chart below is based on Mitre’s Common Vulnerability Scoring System (CVSS) v3.1.
Severity | Score | Example issues |
---|---|---|
Critical | 9.0-10.0 | PII disclosure, remote command execution, SQL Injection, code injection, total authorization or authentication bypass, escalation from unprivileged or semi-privileged accounts to admin/root |
High | 7.0-8.9 | Cross site scripting, SSRF, partial authorization or authentication bypass. |
Medium | 4.0-6.9 | Directory traversal, cross-site request forgery, missing secure cookie flags on session cookies. |
Low | 1.0-3.9 | Minor information disclosure, missing HTTPOnly cookie flags, etc. |
InvGate is not currently offering compensation for reported vulnerabilities. Should that change in the future, this policy will be updated.