Criipto is now Idura. Read why here →
LEGAL

Vulnerability disclosure policy

At Idura, the security of our services is a top priority.

We acknowledge that vulnerabilities can never be completely eliminated, and we value the expertise of the security research community in identifying potential weaknesses in our systems.We encourage responsible vulnerability research and disclosure.

If you discover a vulnerability in any of our systems, please let us know about it as quickly as possible so we can address it.

This policy outlines the conditions under which Idura will engage with and protect researchers who report vulnerabilities in good faith.
Idura is committed to not pursuing legal action against security researchers who report vulnerabilities in accordance with this Policy and act in good faith.

If you report a vulnerability in violation of this policy, Idura may choose not to engage with your report.

This policy does not create any contractual relationship, employment relationship, or agency between you and Idura, and does not confer any rights upon third parties.

Scope
All Idura products and services are in scope of this policy.
Please note that the scope *does not* include external service providers.

We ask you to only execute proofs of concept against resources in tenants owned by your own account.
You are welcome to register as many Idura accounts, tenants, domains and applications as you reasonably need for research purposes.

Out-of-scope systems
Any services not provided by Idura are outside the scope of this policy.

This includes, without limitation, all external service providers.

In particular, electronic identification means providers are *not* in scope.

Vulnerabilities found in systems operated by external service providers should be reported directly to the relevant service provider in accordance with their own disclosure policy, if applicable.

Non-production systems provided by Idura are outside the scope of this policy.

Out-of-scope vulnerabilities

The following issues are considered out of scope of this policy:

  • Volumetric/Denial of Service vulnerabilities.

  • Vulnerabilities requiring physical access to a user's device.

  • Self-XSS.

  • Social engineering attacks.

  • Physical security attacks.

  • Brute force attacks on cryptography.

  • Clickjacking with no demonstrated security impact.

  • JavaScript warnings with no demonstrated security impact.

  • Known CVEs without a demonstrated proof of concept.

  • Open ports with no demonstrated security impact.

  • Vulnerabilities affecting outdated browser/platform versions.

  • Outdated libraries with no demonstrated security impact.

  • Missing security headers with no demonstrated security impact.

  • Application error codes (e.g. HTTP 500) with no demonstrated security impact.

  • Lack of adherence to best practices with no demonstrated security impact.

  • Unexploitable vulnerabilities.

  • Disclosure of information with no demonstrated security impact.

  • Subdomain takeover with no demonstrated proof of concept.

  • Vulnerabilities that have recently been publicly disclosed (30 days or less).

  • Vulnerabilities caused by deliberate misconfiguration of our products.

  • Exploitation of generic operating system vulnerabilities.

  • Vulnerabilities in our customers' systems or integrations.

  • Vulnerabilities in non-production systems.

Idura may update this list at any time.

Guidelines

We ask you to:

  • Follow the rules in this policy.

  • Follow all applicable laws and regulations.

  • Avoid violating the privacy of others by sharing data containing confidential or personally identifiable information.

  • Never attempt to gain access to another user's account or data.

  • Never attempt a proof of concept against another user's account or resources.

  • Never attempt a proof of concept of social engineering or physical attack unless expressly permitted to do so by Idura.

  • Never attempt a proof of concept of a denial of service attack.

  • Report any vulnerabilities you discover to us as quickly as possible.

  • Not exploit the vulnerability or problem you have discovered beyond what is strictly necessary to demonstrate its existence, and refrain from downloading, deleting, or modifying data belonging to others.

  • Allow our security team reasonable time to resolve any issues you have found before publicly announcing them.

  • Immediately let us know if you accidentally executed a proof of concept involving another user's data.

How to report a vulnerability

If you have discovered a vulnerability that you want to report, please email your findings to security@idura.eu.

Your report must include:

  • A description of the anomalous behavior caused by the issue.

  • A procedure for reproducing the issue, ideally including any proof-of-concept code.

  • A description of the possible threat you believe is caused by the issue.

  • The product or service in which you found the issue: the name of the product or service, the URL you used to access it, etc.

  • Your own assessment of the severity of the issue.

  • How you believe the threat could be exploited by a real attacker.

  • Any information you may have about actual exploitation of the issue.

Include details about the issue, how you discovered it, and attach any screenshots or data that may help explain the issue.

Ensure you give us enough detail to reproduce the issue.

Please write your report in English.

If the vulnerability was found by an automated tool, please do not report it to us unless you have manually validated the proof of concept yourself.

If you have found a vulnerability, please do not exploit it, and please do not disclose it to others until we have resolved it.

What to expect

When you report an issue, you can expect us to:

  • Send you a confirmation that we have received your report.

  • Provide you a follow-up answer with our initial findings in a reasonable time after receiving your report.

  • Cooperate with you in good faith to validate the report.

  • Treat your report confidentially.

Bug bounties

We do not currently offer a structured public bug bounty program.

We do however offer monetary rewards when certain thresholds for reported findings are met.

The size of the reward depends on the severity of the reported vulnerability and the attack potential necessary to exploit it.

Reports need to meet the following criteria to qualify for a reward:

  • We need to be able to reproduce and verify the issue.

  • The issue needs to be novel, i.e. not previously known or reported.

  • The issue needs to meet a minimum level of severity as determined by the Idura security team.

  • You must submit the report in accordance with the rules in this policy.

Updates and feedback

This policy may be updated at any time.

We welcome feedback on this policy.

Please send it to security@idura.eu.