Responsible Disclosure Policy
Sovrn Vulnerability Disclosure Policy
Sovrn’s Vulnerability Disclosure Program Terms and Conditions (“Terms”) cover your participation in the Vulnerability Disclosure Program (the “Program”). By submitting any vulnerabilities to Sovrn or otherwise participating in the Program in any manner, you agree and accept these Terms made between you and Sovrn, Inc. (“Sovrn,” “us” or “we”).
The Program enables users (such as, but not limited to, Security Researchers) to submit vulnerabilities and exploitation techniques to Sovrn (“Submission”). No rewards or other remuneration will be issued for Submissions. Sovrn may change or cancel this Program at any time, for any reason without notice.
Publicly accessible information systems, web property, or data owned, operated, or controlled by Sovrn.
Out of scope Vulnerabilities:
Sovrn reserves the right to add and subtract from the Out-of-scope vulnerabilities list depending on the evaluated severity of reported vulnerabilities and risk acceptance. When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
- DoS, brute force, user enumeration or DDoS attacks
- Any physical attacks against Sovrn property or data centers
- Social Engineering, including phishing
- Email flooding
- Unconfirmed reports from automated vulnerability scanners
- Reports related to permitted password strength
- Theoretical subdomain takeovers with no supporting evidence
- Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
- Logout CSRF, forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
- Directory listing (unless sensitive data can be found)
- Invalid or missing SPF/DKIM/DMARC records
- Blackhat SEO techniques
- Rate Limiting (Non-critical issues)
- Lack of Secure/HTTPOnly flags on non-sensitive cookies
- Generic examples of Host header attacks without evidence of the ability to target a remote victim
- Missing Security HTTP Headers (without proof of exploitability)
- Clickjacking on pages with no sensitive actions
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Borderline Out-of-scope Vulnerabilities:
- Autocomplete attribute on web forms
- “Self” exploitation (such as Self-XSS)
- Verbose error pages (without proof of exploitability)
- Disclosure of server or software version numbers
- Use of known-vulnerable library (without proof of exploitability)
- Clickjacking / UI Redressing (without proof of exploitability)
- Content spoofing / text injection
- Open Redirects that are not chained into a more impactful vulnerability
CHANGES TO THESE TERMS
We may change these Terms at any time without notice. Participating in the Program after the changes become effective means you agree to the new Terms. If you don’t agree to the new Terms, you must not participate in the Program.
You ARE eligible to participate in the Program if you meet the following criteria:
- You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer’s rules for participating in this Program. Sovrn is not responsible for your affiliated organizations rules, regulations, policies, standards, operating procedures or the like.
You ARE NOT eligible to participate in the Program if your organization does not allow you to participate in these types of programs;
- It is your responsibility to comply with any policies that your employer may have that would affect your eligibility to participate in the Program. If you are participating in violation of your employer’s policies, you may be disqualified from participating in the program. Sovrn disclaims any and all liability or responsibility for disputes arising between an employee and their employer related to this matter.
- There may be additional restrictions on your ability to enter depending upon your local law and/or geopolitical implications.
Sovrn is not claiming any ownership rights to your Submission. However, by providing any Submission to Sovrn, you:
- grant Sovrn the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your Submission: (i) to use, review, assess, test, and otherwise analyze your Submission; (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part; and (iii) to feature your Submission and all of its content in connection with the marketing, sale, or promotion of this Program or other programs (including internal and external sales meetings, conference presentations, trade shows, and screen shots of the Submission in press releases) in all media (now known or later developed);
- agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above;
- agree not to post any information publicly without the direct and written consent from the Sovrn Chief Executive Officer, Chief Financial Officer, Chief Technology Officer or General Counsel;
- understand and acknowledge that Sovrn may have developed or commissioned materials similar or identical to your Submission, and you waive any claims you may have resulting from any similarities to your Submission;
- understand that you are not guaranteed any compensation or credit for use of your Submission; and
- represent and warrant that your Submission is your own work, that you haven’t used information owned by another person or entity, and that you have the legal right to provide the Submission to Sovrn.
CONFIDENTIALITY OF SUBMISSIONS/ RESTRICTIONS ON DISCLOSURE
Protecting customers is Sovrn’s priority. We endeavor to address each Submission in a timely manner. We require that Submissions remain confidential. You can make available high-level descriptions of your research and non-reversible demonstrations after the vulnerability is fixed. We require that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld for 60 days after the vulnerability is fixed. Sovrn will notify you when the vulnerability in your Submission is fixed.
Limited Waiver of Other Site Terms & Policies
To the extent your security research activities are inconsistent with certain restrictions in our relevant site terms and policies but are consistent with the terms of this Program, we waive those restrictions for the sole and limited purpose of permitting your security research under this Program. If your security research involves the networks, systems, information, applications, products, or services of a third party (which is not us), there is a possibility that they may pursue legal action or law enforcement notice. We cannot and do not authorize security research in the name of other entities as such testing is beyond the scope of our Program, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third-party action based on your actions. Please contact us at security@Sovrn.com before engaging in conduct that may be inconsistent with or unaddressed by this Program. If in doubt, ask us first.
Other than your Submission, Sovrn does not consider or accept unsolicited proposals or ideas, including without limitation ideas for new products, technologies, promotions, product names, product feedback and product improvements (“Unsolicited Feedback”). If you send any Unsolicited Feedback to Sovrn through the Program or otherwise, Sovrn makes no assurances that your ideas will be treated as confidential or proprietary.
IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT SEND US ANY SUBMISSIONS OR OTHERWISE PARTICIPATE IN THIS PROGRAM.