Vulnerability disclosure policy

EPI-USE Labs takes data privacy and security seriously. As a provider of software and services we recognize the value and importance of appropriately preserving the confidentiality, integrity, and availability of all our software and services.

We are committed to addressing security issues through a coordinated and constructive approach to further enhance security and to protect both user and intellectual property.

Reporting security issues

EPI-USE Labs will investigate legitimate reports and make every effort to address any vulnerabilities disclosed as quickly as possible and will work with security researchers that comply with the following responsible disclosure guidelines:

• If you believe you have discovered a vulnerability in a product or have a security incident to report, please send all correspondence to the following address disclosure@labs.epiuse.com should you wish to encrypt the message, please use our PGP public key to encrypt your communication with us.
• Please include the phrase "vulnerability detected" in the subject line of the email.
• Provide details of the vulnerability or incident including information needed to reproduce and validate it.
• Make good faith effort to avoid privacy violations, destruction of data, access or modification of data (personal or otherwise) and or interruption or degradation of EPI-USE Labs systems or services.
• Provide us with a realistic timeframe to investigate, respond to and correct the issue before disclosing the event on public forum.

Out of scope vulnerabilities

• Clickjacking on pages with no sensitive actions or no authenticated actions
• Software version disclosure/Banner identification issues
• Missing email best practices (invalid, incomplete, or missing SPF/DKIM/DMARC records etc.)
• Missing best practices in SSL/TLS configuration
• Any activity that could lead to the disruption of our service (DoS) (unless proven to be a configuration issue or a software bug)
• Open redirect - unless an additional security impact can be demonstrated
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

How to verify a security.txt file from one of our products

# Download our PGP public key
wget https://security.epiuselabs.com/security-txts/epi-use-labs-security.asc

# Download the security.txt file
wget https://clientcentral.io/.well-known/security.txt

# Import our PGP public key
gpg --import epi-use-labs-security.asc

# Verify the content of security.txt
gpg --verify security.txt

The output should look like:

gpg: Good signature from "EPI-USE Labs Security <security@labs.epiuse.com>"

How to encrypt the message

gpg --encrypt --sign --armor -r security@labs.epiuse.com message.txt

This will result in a message.txt.asc file which you can send the contents to disclosure@labs.epiuse.com