CNote’s Vulnerability Disclosure Program
Security is core to our values, and we value the input of hackers acting in good faith to help us maintain a high standard for the security and privacy for our users, partners, and employees. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
- Public S3 buckets (if any are found, please contact us immediately)
Out of Scope
Official Communication Channel
Contact us via email (firstname.lastname@example.org) with a detailed report of the potential vulnerability. If you believe the vulnerability is serious or your report includes sensitive or confidential information, then please encrypt the message with PGP. Our corporate PGP key is listed at the bottom of this page.
This email should include as much of the following as possible:
- Type of vulnerability
- Whether the information has been published or shared with others
- Affected sites
- Affected configurations
- Step-by-step instructions/proof-of-concept codes to replicate the issue
Once submitted, a member of our security team will personally acknowledge that we have received your report within 24 hours and provide an outline response plan where applicable.
We will then review the information and work to validate the reported vulnerability. In the event that a true vulnerability is discovered we will complete the investigation and notify the reporter. Where appropriate the reporter will receive results of the vulnerability findings, a plan for resolution, and, if applicable, plans for public disclosure.
When working with us according to this policy, you can expect us to:
- Extend Safe Harbor for your vulnerability research that is related to this policy;
- Work with you to understand and validate your report, including a timely initial response to the submission;
- Work to remediate discovered vulnerabilities in a timely manner; and
- Recognize your contribution to improving our security, after remediation and at a time of our choosing if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.
To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, we ask that you:
- Play by the rules. This includes following this policy, as well as any other relevant agreements. If there is any inconsistency between this policy and any other relevant terms, the terms of this policy will prevail;
- Report any vulnerability you’ve discovered promptly;
- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
- Use only the Official Channels to discuss vulnerability information with us;
- Keep the details of any discovered vulnerabilities confidential until they are fixed, according to the Disclosure Policy;
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
- You should only interact with test accounts you own or with explicit permission from the account holder; and
- Do not solicit payment in exchange for your services.
If a vulnerability provides unintended access to data:
- Cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), bank account data, credentials, or proprietary information;
- Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept;
- Avoid downloading or extracting data of any kind – A screenshot of 3-5 records is sufficient for your Proof of Concept;
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
Given the sensitive nature of our data and our commitment to our customer’s privacy, we only authorize public disclosure:
- After the vulnerability has been fully remediated;
- After CNote has reviewed and approved the disclosure details;
- And when no sensitive information is included in the disclosure.
-----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBF5C6esBEACi1LCv1v4tvAEmJTLFmCu46lo/8gEp0EatqU6uMr7olNug UiYuDtk3zehiMKjcwB2HQ6yXzVoe044THgB5ODl6Nw5+JLPEKRndEpB0ljtv ATvV9m/gPDwjln8r/MtZYKZ6S+7bGDDIno/Y8BlPM6+X4T0D8jo5/fBtPvVk bCq3TkGoZvrcmmPZ661me4y0Bmng9UGHseYiKTVAOPdxzOc1fQixAX+T8Kcg wzvzeoWTVgsCEUEqcqJNdwCXWDweII3SRRubL5nDpInNhHkbICkrJyam6Hqe IpxdYkZFymwWSJqXPhy3tfg4KL2teHXaTWxDpZQWGVrpc5PdwKTINX6OEWZ7 9YoGrPJlGc19Wxwm+35EJFRuDbDyXsbC89nLmq50si3JxONUmlhlS39DHWYT /qPX2uX9IIFo3RK5zP+FJLu3Wf/42l0CSce4NkaTxpPaUW1e2eaNZ1nnkngN uhSusmCQzd/qBwQQXt2z7Uvy8ABEZ3loVL0H4SW4SgUl09JAar0ASuwOeZa4 gwvPpnRErxHCUcUkouFHscxS6hxIZ0TrEkfA25XP1ZFAlEMkQLHxZmQQq7QN NrI3q+I2jm9owG+YpO4VY/fAC7nbKcXW5g+9MIsUrIkWI4qQrhC5QaDbp4zE Kk3KlrY3VDMTJp45Cggf/x9UQU4HhixdvqJxvwARAQABzSVjbm90ZS1zZWN1 cml0eSA8c2VjdXJpdHlAbXljbm90ZS5jb20+wsF1BBABCAAfBQJeQunrBgsJ BwgDAgQVCAoCAxYCAQIZAQIbAwIeAQAKCRC9nJuMn4+Rc5q9D/4+mm6EZaP0 3RjeyBkINxd4hCMyRmuMReMsgRsbEZmCd1YTrays/EbCWxAlZb+SJPyHuw/Z NogoKnMGjRFlUnWGYaKjHDAU1grC5LlacgBjEyMf7jn5sCapL1HCxnhroAST QqBpjezGT/kUCqcjT4zt1uedeJzzsplTUfZIR1dgxJiRmBrAhqlG3lOxKG9S VqInQPJJM6MptY6wgHYviLwoeF97msY4V8y9b4hqZg4uBrANXCjNyDn5reIx PNxpP0gKaKaNbMgh7+oJnQfZUuYX4ITrEirt2jAxf0huHGuEU5fhcKGNlfVM eizbni/ll4fr8csThpxh8GB8/2lk2LdUwoPUnVyP+URkvUixSZcatfmf6ki6 plqcpwk/jzfBPv3EMQ0EXO5vM827tCRkOIcpb3n5Zy9sD/5XW6zXPFhbeEA1 B/zmWo/FGCyNU2obwM9Tpuh4DxCyCmgLjgGUDGvoHtdwt1LO3U31N7pQY3yp GlUGvFSMq/UkcCNAFKCzyAr9gL1STLXkPCbPXOioUfPYaSJDftxrqqQexNUS xF1FGmhfP3lsxLMaNk2aryoP4TGflBr0J/GBBxpKt/7WWR4LT1eMTKPK9oLB /jFrsl8me/hHh6jxz/fqNNaH5pydDvnMEtS37ul5se/7ccmJEnjXNHHv8QX/ AcnqvhX3Ofn4Pc7BTQReQunrARAA2hSw7FAiqxSwhqvmg6/ol+B6SIzPIxTE 1QE6I3f+vp7R9tSMQaZq0GVV53i08zH/xmf/r/qqNTbP/+tJ1LpJagO/PvL8 XX/VkeyFobzMWHbJ6TSNxCn5AhPcO4LXnWke8qIDalHwYCySnFNEJAO2egPV JGgvL1O7ao1CoXLYUlGRasHTwFy57xJBOrdVH//hJtaQpUX6+f0tbvmfeLwH YH4Q2+jhzNmuLlpPHf3Acn/zfSgYxA2FdYYgiiLsW+f2kPfMeoy8uddbAqP/ 1S7CR8lCj1L3NuF/3GvmgORe3aNUgtqVMW2cAD5yG+YGcnlo1BH0hxFvTLYo qKyT11IfPGcsNptp8TiE/0wa3E2VxE2VFcDUmW48FQD+FvI6QdVeRfGsD7/j zsPMOHMLmjOj7J9a+h4zpdIrzGkwgbLihoXLALGZ1r5cJJm3JFjTBarlAiec fMfjcQ16LKsITZlxeUwlW92cSmdT85CdcQlo/uvZivjpM1xQqdWVau6eiwOt PJA0dZk56+Qr1vRNy89O0SHxSat+Oi3Z1/YIVj4D41tYgTf95wrMvHsxUYgg 5VvK7L9s0PdEJbZX+X15hPehn5dYNypjGDCGfXvP6AS6p2Nrtc3v19kD6XA4 is7D77fFI2X8E6Pn24ntWHtxE2RtXv62LfC6aJOQBCybOnuUYa8AEQEAAcLB XwQYAQgACQUCXkLp6wIbDAAKCRC9nJuMn4+Rc7ucD/9LLF1DelJ73EGVt9uy vytgxGEhJzRztjXQYEws80+jTjru4jqHkvYY/sQaHWgvFokoaKVaJ9c90DMg EjQmmWa/aKnjTnyJDl3XLC76enm/XWOOWbuw1ndsjozVYO/kgQJ5NLzaUPc4 nku6tp2ESsspHw0tVKped0McHQLUY8qTR2BzuL6pYzfp4SIKlLVcK/PtF8Tt wcD1k7w1KkiVI71aOQjj/smK4kzqt70t6SWep4AnIgs0GlhUv2cPQDUesjJd kcIyV8GE0Rvjm7vmPuNL3wp6YGu2nyOV/gSjcx1E9sMjiDkyLivzQIRSJImY rFe+gW58eysZjfp/IJNjturHR8j6ZCsVjJ88Q8v5i91+e6nC8xnYVZLN1cAo 64iEpkQCy8FITE4wl+/youO3OmomK+efqP1L74cAkMkBJs7SPOfaw7h1laDj 0VSPBdzmnTKNrSUwkia98KrtnziwBXixY6SG81pb78eQRoRPrRNpmNZSQiKN B0mnECmeIZkYrt2BhayeJkMNskNbbGjoAJBJOMlcMt8cJKTt2DUadVK+KoVu xEi89Mq7RQPnZvmLoR+dOB3QoiMAgGzshZDn9ArjKD9zHsWVX8EoXNcP8wUl EBpN2DvynacVj8Uuu5FlqTYLEhGdFx9Aef2Xb1VGCDm+s3+O2cxDe98QDW8Y lGO/eA== =1SoT -----END PGP PUBLIC KEY BLOCK-----