Proxyclick Vulnerability disclosure policy

This Vulnerability disclosure policy applies to all Proxyclick applications. If you have any questions, please contact us via security@proxyclick.com.

_DSC1206

Our vulnerability disclosure policy 

Proxyclick is a customizable, cloud-based solution, that enables leading businesses to take control of their people flows. It provides a single interface to manage visitors, employees, contractors, and anyone else on premises, while improving security, efficiency, compliance, and branding. 

As we process personal and sensitive data, security and trust is always top-of-mind and we are always working to improve our product so that is as secure as possible. 

But even with everything that Proxyclick is doing, we remain down-to-earth and acknowledge that a vulnerability can always slip through the cracks. The Vulnerability disclosure policy is one of the ways we uncover potential vulnerabilities. We do this by inviting ethical hackers and security researchers to disclose them. 

If you find a vulnerability, please let us know so that we can take measures as quickly as possible. 

Our promise to you 

  • We are happy to respond to any questions via security@proxyclick.com 
  • We aim to process your submissions within 2-3 working days 
  • We respect the safe harbour clause that you can find below 

Your promise to us 

  • Use of trial account(s) to perform vulnerability research. No real data should be used or affected. 
  • Provide detailed but to-the-point reproduction steps. 
  • Include a clear scenario. How could this vulnerability impact the solution? 
  • Please do not discuss or post vulnerabilities without our consent (including PoC's on YouTube and Vimeo). 

Scope 

Applications & endpoints 

  • Proxyclick Kiosk App: Proxyclick’s kiosk app lets you digitize your check-in process for employees, contractors, and visitors, while strengthening security, efficiency, compliance, and data protection processes. 
  • api.proxyclick.com: This is Proxyclick's general API used to support our applications. 
  • app.proxyclick.com: The Proxyclick cloud app enables businesses to take control of their people flows. The single interface allows the management of visitors, employees, contractors, and anyone else on-premises. 
  • outlook.proxyclick.com: This is Proxyclick's Outlook Add-in Domain. It's used by our customers to schedule visits directly through Outlook. You can find out more about the Outlook Add-In here. 

What we're looking for 

  • Leaking of PII & financial information 
  • Ability to manipulate customer data 
  • Ability to manipulate the flow of data between the front-end and back-end 
  • Horizontal/vertical privilege escalation 
  • Bypassing authentication 
  • Bypassing the free trial period 
  • Bypassing the restrictions to obtain additional feature packages 
  • Bypassing the WAF 
  • Bypassing role-based user privileges on a tenant 
  • Access to sensitive logging data that could result in a PII breach 
  • Ordering free products/features 
  • SQLi 
  • XSS 

 What is not allowed 

  • Placing malware (virus, worm, Trojan horse, etc.). 
  • Copying, modifying or deleting non-trial data in the system. 
  • Repeatedly accessing the system or sharing access with others. 
  • Using automated scanning tools. 
  • Using brute-forcing. 
  • Using denial-of-service attacks. 

Reporting a vulnerability 

  • Submissions must be forwarded to security@proxyclick.com in English.
  • They should include (at the very least): 
    • Estimated severity based on CVSS 
    • Targeted domain 
    • Endpoint / vulnerable component 
    • Type of vulnerability 
    • Proof of Concept & description 
    • Estimated impact 

What to expect after submitting a vulnerability 

  • We will typically process your submission within 2-3 working days. 
  • You may be contacted for more information. 
  • Your findings will be treated as responsible disclosures by default. 
  • To thank you for reports that surface vulnerabilities that were unknown to us, we offer the opportunity to be listed in our ‘Hall of Fame’. 
  • Submissions may be rejected based on Proxyclick's perceived business impact. 
  • Low-quality reports may not be pursued. 
  • Monetary rewards are the exception to the rule and can only be provided through our private bug bounty program with Intigriti. It is possible to request to be added to this private program by contacting security@proxyclick.com with your username and a reference of your reputation as this is invite-only.. 

Safe harbor for researchers 

Proxyclick considers ethical hacking research conducted consistent with this policy to constitute as “authorized” under criminal and civil law. Proxyclick will not pursue civil action or initiate a complaint about accidental, good faith violations. 

If legal action is initiated by a third party against you and you have complied with the policy, Proxyclick will take steps to make it known that your actions were conducted in compliance and with our approval. 

Any questions?

Contact us via security@proxyclick.com