Report a Vulnerability
Priority on Security
When it comes to security, we take our responsibilities to our customers and users very seriously. Our top priority is to guarantee that our users are kept safe to the highest degree and we encourage the security community to report vulnerabilities when discovered.
While we do our best to cover all bases when it comes to these aspects, the fact of the matter is that the digital world is a continual moving target, and for every effort we make, there’s something else we’ll miss. Those with bad intentions are always on the lookout for and looking to exploit anything we overlook, no matter how small. We encourage anyone that finds a security fault in our products to report it so that we are able to address it quickly and ensure the online safety of all of our customers and their end-users.
We understand that hackers are always on the lookout for new ways to exploit security flaws, so we must stay one step ahead of them by detecting and addressing any issues as soon as possible. We appreciate your assistance in keeping us all safer by reporting any problems you may encounter. We hope you never have a reason to report an issue, but if you do, we thank you for your help in making everyone more secure!
Vulnerability disclosure policy
We believe in and support working with the research and security practitioner community to enhance our online security. We applaud good-intentioned and ethical cybersecurity researchers who carry out investigative work into security flaws.
We are committed to:
- investigating and resolving security vulnerabilities on our platform and services
- working in collaboration with the ethical security community
- responding promptly and actively
What to expect when reporting a vulnerability
You will receive an acknowledgment response following the submission of your vulnerability report, which is generally within 24 hours.
The team will address the reported vulnerability as soon as possible. They’ll notify you whether::
- further information is required
- the vulnerability is in or out of scope
- this is a duplicate report
If the problem requires additional work, it will be assigned to the proper Temasys team or vendor(s), with help from our security staff.
The significance of a bug’s impact and its exploit complexity are considered when assigning priority. Vulnerability reports may take some time to evaluate or address. You are welcome to inquire about the status of the procedure, but please do not ask more than once every 14 days. This is necessary so that our personnel may focus on the reports as much as possible.
Once the reported vulnerability is resolved or remediation work is scheduled, the Security Team will notify you and invite you to confirm that the solution covers the vulnerability adequately.
Feedback
You are invited to give us feedback on the:
- disclosure handling process
- clarity and quality of communication
- effectiveness of vulnerability resolution
We’ll use your comments in strict confidence to help us improve our reporting, services, and vulnerability management practices.
Guidance for Security Researchers
Security researchers must not:
- access unnecessary amounts of data, for example, 2 or 3 records is enough to demonstrate most vulnerabilities, such as an enumeration or direct object reference vulnerability
- use high-intensity invasive or destructive technical security scanning tools to find vulnerabilities.
- perform actions that violate the privacy of Temasys’ users, staff, contractors, services or systems, for example by sharing, redistributing and/or not properly securing data retrieved from our systems or services
- communicate any vulnerabilities or associated details using methods not described in this policy, or with anyone other than their assigned Temasys security contact
- modify data in Temasys’ systems or services which do not belong to the researcher
- disrupt Temasys’ services or systems
- social engineer, ‘phish’ or physically attack Temasys’ staff or infrastructure
- disclose any vulnerabilities in Temasys’ systems or services to third parties or the public, prior to Temasys’ confirming that those vulnerabilities have been mitigated or rectified
- require financial compensation in order to disclose any vulnerabilities
Bug Bounty
Temasys does not offer a paid bug bounty program as standard.
However, when appropriate, we will make efforts to express our thanks to security researchers who take the time and effort to investigate and report security flaws to us in accordance with this policy.
Submit a Report
Please fill out the form below or open a ticket with us on our support portal.