RDP Terms

Authorization

When conducting vulnerability research in accordance with this policy, we will consider your actions to be:

• Authorized under anti-hacking laws. We will not initiate or support legal action against you for accidental, good-faith violations of this policy.
• Authorized under anti-circumvention laws. We will not bring a claim against you for circumvention of technology controls.
• Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP). Except for penetration testing, we waive relevant restrictions on a limited basis to enable your security research.
• Lawful. We recognize your research as helpful to the overall security of the internet and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report to our Office of Information Security ([email protected]) before going any further.

Program Rules and Restrictions

Under this policy, you must:

• Notify us as soon as possible after you discover a real or potential security issue.
• Make every effort to avoid privacy violations, degradation of Eptura’s service(s), disruption to production systems, and destruction or manipulation of data.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
• Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
• Do not submit a high volume of low-quality reports.
• Compliance with all applicable laws is mandatory, including, but not limited to: U.S. Computer Fraud and Abuse Act
• All information relating to vulnerabilities that you become aware of through this program is considered confidential (“Confidential Information”). You agree to refrain from disclosing Confidential Information publicly or to any third party without prior, written approval from the Office of Information Security ([email protected]). You agree to honor any request from Eptura’s Office of Information Security to promptly return or destroy all copies of Confidential Information and all notes related to the Confidential Information.
• Not publicly disclose, or otherwise share information regarding vulnerabilities to any third party pertaining to Eptura’s intellectual property, without Eptura’s express written permission.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data.

Scope
This policy applies to any digital assets owned, operated, or maintained by Eptura. Any service not expressly listed, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors are outside the scope of this policy and should be reported directly to the vendor.
Though we develop, deploy, and maintain other internet-accessible systems or services, active research and testing must only be conducted on the systems and services covered by the scope of this policy. If there is a particular system not in scope that you reasonably believe merits testing, please contact us to discuss it first.

Domains

• eptura.com
• archibus.cloud
• iofficeconnect.com
• managerpluscloud.com
• app.proxyclick.com
• serraview.com

Mobile Applications

• Archibus Workplace (com.archibus.workplace | id1560401343)
• Archibus OnSite (com.archibus.onsite | id1556333338)
• Condeco (com.condecosoftware.condeco, id1565099537)
• Condeco Connect (com.condecosoftware.connect | id1221428379)
• Condeco Desk (com.condecosoftware.deskscreensetup)
• Engage Intune (com.spaceiq.engage.intune | id1571510012)
• Eptura Asset Companion (com.managerplus.x2.workcompanion)
• iOffice Mail (com.iofficeconnect.mail | id1049969793)
• iOffice Service Request (com.iofficeconnect.servicerequest | id883840613)
• Proxyclick Visitor Management (id1059796376)
• Serraview Engage (com.serraview.engage | id1494977395)

Eligible Findings

The following classes of vulnerabilities are of particular interest to us, and are eligible for attribution upon review:

• Remote Code Execution (RCE)
• Injection (e.g., SQL, OS Command, XXE, XSS)
• Broken Access Controls (Insecure Authentication/Authorization)
• Sensitive information leaks
• Cross-site request forgery (CSRF)
• Server-Side Request forgery (SSRF)

Testing Rules & Restrictions

You are not authorized to test for, and we do NOT want reports on, the following:

• Tests that will disrupt Eptura services or impair others’ ability to use them (e.g., denial of service)
• Use of automated scanners. Note: Approved researchers/testers may, with permission, use approved scanners with approved throttling so as not to disrupt service.
• Local network-based exploits such as DNS poisoning or ARP spoofing.
• Physical exploits of our servers or network
• Third-party services
• Attacking physical security
• Use of social engineering
• Sending, or attempting to send, unsolicited or unauthorized email, spam or other forms of unsolicited messages
• Knowingly posting, transmitting, uploading, linking to, sending, or storing any malware, viruses, or similar harmful software

Ineligible Findings

Vulnerabilities reported with the following criteria are considered too low of an impact and are out of scope:

• Google Maps API Keys
• Account/e-mail enumeration using brute-force attacks
• Account/e-mail enumeration that does not require brute-force attacks may be considered VALID upon approval
• Any low impact issues related to session management (e.g., concurrent sessions, session expiration, password reset/change logout, etc.)
• Bypassing content restrictions in uploading a file without proving the file was received
• Clickjacking/UI redressing
• Client-side application/browser autocomplete or saved password/credentials
• Descriptive or verbose error pages without proof of exploitability or obtaining sensitive information
• Sensitivity of the information will be determined by ResponsibleDisclosure.JPMorganChase.com
• Directory structure enumeration (unless the fact reveals exceptionally useful information)
• Incomplete or missing SPF/DMARC/DKIM records
• Issues related to password/credential strength, length, lock outs, or lack of brute-force/rate limiting protections
• Account compromises (especially admin) because of these issues will likely be considered VALID
• Lack of SSL or Mixed content
• Leaking Session Cookies, User Credentials, or other sensitive data will be reviewed on a case-by-case basis
• If leaking of sensitive data requires MiTM positioning to exploit, it will be considered out of scope
• Login/Logout/Unauthenticated/Low-impact CSRF
• CSRF Vulnerabilities may be acceptable if they are of higher impact. The impact will be determined by ResponsibleDisclosure.JPMorganChase.com
• Low impact Information disclosures (including Software version disclosure)
• Missing Cookie flags
• Missing/Enabled HTTP Headers/Methods which do not lead directly to a security vulnerability
• Reflected file download attacks (RFD)
• SSL/TLS best practices that do not contain a fully functional proof of concept
• Heartbleed requires a valid POC which shows sensitive data leakage. The sensitivity of the data will be determined by ResponsibleDisclosure.JPMorganChase.com
• POODLE requires a POC demonstrating a downgrade, not just the result of SSL Labs or Nmap scan
• URL Redirection
• Use of a known vulnerable library which leads to a low-impact vulnerability (i.e., jQuery outdated version leads to low impact XSS)
• Valid bugs that are not directly related to the security posture of the client
• Vulnerabilities affecting users of outdated browsers, plugins, or platforms
• Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected
• Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e., Self-XSS)
• Self-XSS for a Persistent/Stored XSS will be considered due to the possibility that an Admin/superuser may stumble across and execute a payload
• Any type of XSS that requires a victim to press an unlikely key combination (i.e., alt+shift+x for payload execution)

Reporting Process:

Submit in-scope vulnerabilities, in English, to [email protected]. Submissions must include details about the vulnerability, proof of concept or steps to replicate the vulnerability, and suggestions on a resolution.
We do not support PGP-encrypted emails. For particularly sensitive information, submit it through our web form (TBD).

Eptura’s Response to Reports

In response to reports submitted in accordance with the rules and requirements of the program, Eptura will:

• Acknowledge the receipt of your report.
• Strive to resolve any confirmed vulnerability within a reasonable timeframe, in alignment with company policies.
• For participants, if an issue has been reported and determined to be both within the program scope and determined to be an in-scope issue, Eptura will validate the finding(s) and the security researcher can disclose the vulnerability after a resolution has been issued and our clients have had reasonable notice to patch.
• Out-of-scope submissions will be accepted and acted upon in alignment with Eptura policies but are not eligible for public attribution.
• Eptura does not pay monetary rewards for submissions.

Legal Terms

We may modify the terms of this program or terminate this program at any time without notice. You must comply with all applicable local, state, national, and international laws, rules, and regulations in connection with your participation in this program. Your participation in this program constitutes acceptance of all terms.