Responsible Disclosure 

Reporting

We take security very seriously. If you find a security vulnerability, we ask you to responsibly disclose the details to us.

  • Reach out to security@ehsinsight.com or use our vulnerability report page, if you have found any potential vulnerability in our products meeting all the below mentioned criteria. You can expect a confirmation from our security team in about 48 working hours of submission.
  • Please refrain from doing security testing in existing customers' production accounts.
  • When conducting security testing, make sure not to violate our privacy policies, modify/delete user data, disrupt production servers, or to degrade user experience.
  • You’re allowed to disclose the discovered vulnerabilities only to security@ehsinsight.com or by using our vulnerability report page. Documenting any potential In/Out of scope vulnerability to the public is against our responsible disclosure policy.
  • If your finding is valid and unique, you may be eligible for a reward.

Out of Scope Vulnerabilities

  • Clickjacking / UI Redressing attack
  • Self-XSS and XSS that affects only outdated browsers
  • Using components of known vulnerability without relevant POC of attack
  • Host header and banner grabbing issues
  • Denial of Service attacks and Distributed Denial of Service attacks
  • Automated tool scan reports.Example: Web, SSL/TLS scan,Nmap scan results etc.,
  • Missing HTTP security headers and cookie flags on insensitive cookies
  • Rate limiting, brute force attack
  • Login/logout/low-business impact CSRF
  • Unrestricted file upload
  • Open redirects - unless they can be used for actively stealing tokens
  • Formula/CSV Injection
  • Vulnerabilities that requires physical access to the victim machine.
  • User enumeration such as User email, User ID etc.,
  • Phishing / Spam (including issues related to SPF/DKIM/DMARC)
  • Missing security best practices
  • Vulnerabilities found in third party services
  • Session fixation and session timeout