Devo Vulnerability Disclosure Program

Guidance for security researchers on how to report vulnerabilities to Devo

Devo Vulnerability Disclosure Policy

Devo Technology, Inc., the cloud-native data analytics and security company, is committed to ensuring the safety and security of our products, services, and customers. As such, we are publishing this Policy and Program.

You Should

  • Respect the rules. Operate within the rules set forth here, or speak up if in strong disagreement with the rules.
  • Respect privacy. Make a good faith effort not to access or destroy another user’s data.
  • Be patient. Make a good faith effort to clarify and support their reports upon request.
  • Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.

Scope

This Program shall only apply to data analytics and SIEM software solutions that we develop and license to our customers. This Program does not apply to our website and non-service-oriented infrastructure, and certain vulnerabilities. The following are examples (but not a limited list) of properties and vulnerabilities that are out of scope:

  • *.devo.com web properties
  • Attacks involving stolen credentials or physical access to endpoint devices
  • Automated Scans (without an exploitable PoC)
  • Host Header Injection (without providing an exploitable scenario)
  • Content Spoofing Vulnerabilities
  • HTTP Trace method is enabled
  • Denial of Service (DoS) or DDoS
  • DLL hijacking (without escalation of privileges)
  • DNS configuration related issues
  • Issues present in older versions of browsers, plugins, or any other software
  • Low Severity Clickjacking Vulnerabilities

Safe Harbor

Devo Technology, Inc. will not engage in legal action against individuals who, in good faith, submit vulnerability reports following these guidelines and procedures. 

How to Submit a Vulnerability

First, you should review and agree to the Responsible Disclosure Agreement. Then, submit the vulnerability report to [email protected]

Upon receipt of the report, we will review and investigate the vulnerability as soon as practicable and no later than within 30 days from receipt of the report. You will be notified when this investigation starts. We use CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. If we determine that vulnerability requires remediation, we will start remediating the vulnerability as soon as practicable.

Publication of Vulnerability

Following the successful fix of the vulnerability, we will disclose the vulnerability and the successful remediation on our website, subject to the terms and conditions of the Responsible Disclosure Agreement. If you prefer to be credited by name, please let us know in writing (email sufficient). 

Bounty Program

After remediation, you may be eligible to receive a bounty payment, subject to the terms and conditions of the Responsible Disclosure Agreement. While we use CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity, we reserve the right, in our sole discretion, whether the vulnerability qualifies for a bounty payment.

This policy is current as of October 9, 2020