Vulnerability Disclosure Program
Introduction
PICUS is committed to ensuring the security of their information from unwarranted
disclosure. This policy is intended to give security researchers clear guidelines for
conducting vulnerability discovery activities and to convey our preferences in how to
submit discovered vulnerabilities to us.
This program describes what systems and types of research are covered under this
program, how to send us vulnerability reports, and how long we ask security
researchers to wait before publicly disclosing vulnerabilities.
We want security researchers to feel comfortable reporting vulnerabilities they’ve
discovered – as set out in this program – so we can fix them and keep our users safe.
PICUS is committed to ensuring the safety and security of our customers and
employees. We aim to foster an environment of trust, and an open partnership with the
security community, and we recognize the importance of vulnerability disclosures.in
continuing to ensure safety and security for all of our customers, employees, and
company. We have developed this policy to both reflect our corporate values and to
uphold our legal responsibility to good-faith security researchers that are providing us
with their expertise who add an extra layer of security to our infrastructure.

Guidelines
PICUS will not engage in legal action against individuals who submit vulnerability reports through our Vulnerability Reporting inbox. We openly accept reports for the currently listed PICUS products. We agree not to pursue legal action against individuals who:
-
Engage in the testing of systems/research without harming PICUS or its customers.
-
Engage in vulnerability testing within the scope of our vulnerability disclosure (bug bounty) program.
-
Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software,etc.
-
Adhere to the laws of their location and the location of PICUS. For example, violating laws that would only result in a claim by PICUS (and not a criminal claim) may be acceptable as PICUS is authorizing the activity (reverse engineering or circumventing protective measures) to improve its system.
-
Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.
The list of systems included under the program is as follows:
-
picussecurity.com
-
app.picussecurity.com
-
picus.io
What we expect from security researcher:
-
Well-written reports in English will have a higher probability of resolution.
-
Reports that include proof-of-concept code equip us to better triage.
-
Reports that include only crash dumps or other automated tool output may receive lower priority.
-
Reports that include products not on the initial scope list may receive lower priority.
-
Please include how you found the bug/vulnerability, its impact, and any potential remediation.
-
Please include any plans or intentions for public disclosure. A detailed description of the steps required to reproduce the vulnerability. Proof of concept (POC)scripts, screenshots, and screen captures are all helpful. Please use extreme care to properly label and protect any exploit code.
-
All areas must be filled in the report.
You can see scope of vulnerabilities are included in this program below.
Scope
Scope of vulnerabilities you can discover under this program:
The vulnerabilities listed below are explicitly eligible for our security program. Any vulnerabilities that substantially affect the confidentiality or integrity or safety of user data are covered by the program.
Common examples are given below:
-
Cross-Site Scripting (XSS)
-
Cross-Site Request Forgery (CSRF)
-
Authentication or Authorization Flaws
-
Server-Side Request Forgery (SSRF)
-
Server-Side Template Injection (SSTI)
-
SQL injection (SQLI)
-
XML External Entity (XXE)
-
Remote Code Execution (RCE)
-
Local or Remote File Inclusions
Besides to confidentiality, You must avoid any activities related to the following:
-
Do not attempt to access accounts that do not belong to you.
-
Do not attempt to access private information of any users.
-
Do not attempt to modify or destroy data.
-
Do not perform any type of denial-of-service attack.
-
Do not transmit malware, in any capacity.
-
You must comply with all applicable laws in connection with your participation in this program.
-
Do not make any physical attempts against our property.
-
Do not attack, requiring physical access to a user's device.
Issues not to Report: -
Policies on presence/absence of SPF/DMARC records
-
Password, email, and account policies, such as email id verification, reset link expiration, and password complexity
-
Logout Cross-Site Request Forgery
-
Phishing or Social Engineering techniques
-
Forms missing CSRF tokens
-
All Sender Policy Framework suggestions
-
Disclosure of public or known directories
-
Vulnerabilities only affecting users who are using outdated or unpatched browsers and platforms
-
Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves susceptible.
-
Missing security headers which do not lead directly to a vulnerability.
-
Presence of autocomplete attribute on web forms.
-
Missing cookie flags on non-sensitive cookies.
-
Reports from automated tools or scans that haven't been manually validated.
-
Presence of banner or version information unless correlated with a vulnerable version.
-
UI and UX bugs and spelling mistakes.
Vulnerabilities in the list above may not be rewarded.
The vulnerability you have identified; If it is a previously reported or detected vulnerability, you will not be rewarded.
Data you do not share under this program:
-
Personally identifiable information (PII)
-
Credit card holder data
-
Users’ credentials information
-
3 rd party information which is not related to PICUS
How to submit a Vulnerability?
To submit a vulnerability report to PICUS' Information Security unit, please fill in a given “PICUS VULNERABILITY SUBMISSION FORM”
Technical Severity
The CVSS is the baseline guide used for classifying technical severity. You need to calculate CVSS Calculator for vulnerability score. Your reports must include a vulnerability score which is calculated by CVSS.
What are our roles under this program?
-
Provide a clear method for researchers to securely report vulnerabilities.
-
Clearly establish the scope and terms of any Vulnerability Disclosure programs.
-
A timely response to your email (within 3 business days).
-
After triage, we will send an expected timeline and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
-
An open dialog to discuss issues.
-
Notification when the vulnerability analysis has completed each stage of our review.
-
Credit will be given after the vulnerability has been validated and fixed.
If we are unable to resolve communication issues or other problems, PICUS may bring in a neutral third party to assist in determining how best to handle the vulnerability.
The internal follow-up of such disclosures and the updating of this process are followed by the Information Security Director (ISD). In addition, the ISD is responsible for monitoring this policy and updating it at least once a year.
Safe Harbor
When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:
-
Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
-
Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
-
Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
-
Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.
Warning and Legality
Before carrying out any security research or reporting vulnerabilities, ensure that you know and understand the laws in your jurisdiction.
The following points highlight several areas that should be considered:
-
Do not demand payment or other rewards as a condition of providing information on security vulnerabilities or in exchange for not publishing the details or reporting them to industry regulators, as this may constitute blackmail.
-
If you receive bug bounty payments, these are generally considered as income,meaning that they may be taxable. Reporting this income and ensuring that you pay the tax is all your responsibility.
-
If you find vulnerabilities as part of your work, or on equipment owned by your employer, your employer may prevent you from reporting these or claiming a bug bounty. Read your contract carefully and consider taking legal advice before doing so.
Trust Center
We ensure we meet your needs. We strived to achieve the highest security and quality practices.
