Vulnerability Disclosure Policy

Promise

At Pentalog, maintaining the security of our networks is a top priority. Our information technologies provide critical services to both our employees and our clients.

The security researcher community or other sources regularly make valuable contributions to the security of organizations and the broader Internet, and Pentalog recognizes that fostering a close relationship with them will help improve our own security. May you have information about a vulnerability in a Pentalog website, you are welcome and we encourage you to report it to us!

If you follow this policy with good faith and comply with it, we will not pursue or support any legal action related to your research.

 

Scope

Only the Pentalog websites (https://www.pentalog.com & https://www.pentalog.fr) are in scope for reporting.

Any website, application or service not explicitly listed above, such as connected services or internal applications, are excluded from scope and not authorized for testing.

 

Out of scope

  • Any website, application or service explicitly listed in the “Scope” section above
  • Any activity that could lead to the disruption of our service (DoS)
  • Output from Automated Scanners without a proof of concept (PoC) to demonstrate a specific vulnerability
  • Lack of Secure or HTTP only flag on non-sensitive cookies
  • Email configuration issues without a PoC to demonstrate a specific flaw
  • Social engineering of Pentalog employees, contractors, vendors, or service providers
  • Physical attacks against Pentalog employees, offices, and data centers
  • Any vulnerability obtained by breaching a Pentalog vendor’s service, customer account or employee account
  • Customer assets that use Pentalog’s infrastructure

 

Reporting and our expectations

If you believe you have found a security vulnerability that could impact Pentalog, our users or our clients, we encourage you to let us know right away by using only the Official channel to discuss vulnerability information with us. We will investigate all legitimate reports and do our best to quickly fix the problem.

We ask that you follow our  Security Policy and make a good faith effort to avoid privacy violations, harming our user experience, destruction of data and interruption or degradation of our service during your research. If you are performing some testing, it shall be only on what it is in Scope and respect systems and activities which are Out of Scope. If a vulnerability provides you with unintended access to data: you must limit the amount of data you access to the minimum required for effectively demonstrating the PoC; cease testing and submit a report immediately if you encounter any of our user data during testing, such as personal data (or any other proprietary information). Interacting with test accounts shall be made only with an account that you own or with explicit permission from the account holder.

What we would like to see from you:

  • Well-written reports in English will have a higher chance of being accepted
  • Reports that include proof of concept code will be more likely to be accepted
  • Reports that include only crash dumps or other automated tool output will most likely not be accepted
  • Reports that include products not on the covered list will most likely be ignored
  • Include how you found the bug, the impact, and any potential remediation
  • Any plans for public disclosure coordinated with Pentalog
  • Do not engage in extortion

What you can expect from us:

  • A timely response to your email
  • An open dialog to discuss issues
  • Notification when the vulnerability analysis has completed each stage of our review
  • An expected timeline for patches and fixes (usually within 120 days) after you have received our acknowledgement of receipt of your report
  • Credit after the vulnerability has been validated and fixed

 

Official Channel

For any security issues to be reported to us, please use our Official channel at security@pentalog.com by providing all relevant information as previously mentioned.

If you have any questions regarding this policy or whether your security research is consistent with this policy, please send us an email to our official channel before going any further.

 

Safe Harbor

As stated in the “Promise” section, vulnerability research must be conducted according to this policy, however, research conduct under this policy must be also:

  • Authorized regarding any applicable anti-hacking law and compliant with all applicable laws
  • Authorized regarding any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls
  • Lawful, helpful to the overall security of the Internet

 

Update and Legal

We encourage you to regularly check this site as we may update our policy terms and eligibility, which are effective upon posting. We reserve the right to modify or cancel this policy at any time.

Pentalog reserves the right to modify the terms and conditions of this policy and your participation to any research of vulnerabilities constitutes acceptance of all terms.