CNote’s Vulnerability Disclosure Program

 

Introduction

Security is core to our values, and we value the input of hackers acting in good faith to help us maintain a high standard for the security and privacy for our users, partners, and employees. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.

In Scope

  • https://demo.mycnote.com
  • https://demoadmin.mycnote.com
  • Public S3 buckets (if any are found, please contact us immediately)

Out of Scope

  • https://secure.mycnote.com
  • https://staging.mycnote.com
  • https://www.mycnote.com
  • https://wpstaging[dot]mycnote[dot]com

Official Communication Channel

Contact us via email (security@mycnote.com) with a detailed report of the potential vulnerability. If you believe the vulnerability is serious or your report includes sensitive or confidential information, then please encrypt the message with PGP. Our corporate PGP key is listed at the bottom of this page.

This email should include as much of the following as possible:

  • Type of vulnerability
  • Whether the information has been published or shared with others
  • Affected sites
  • Affected configurations
  • Step-by-step instructions/proof-of-concept codes to replicate the issue

Once submitted, a member of our security team will personally acknowledge that we have received your report within 24 hours and provide an outline response plan where applicable.

We will then review the information and work to validate the reported vulnerability. In the event that a true vulnerability is discovered we will complete the investigation and notify the reporter. Where appropriate the reporter will receive results of the vulnerability findings, a plan for resolution, and, if applicable, plans for public disclosure.

Expectations

When working with us according to this policy, you can expect us to:

  • Extend Safe Harbor for your vulnerability research that is related to this policy;
  • Work with you to understand and validate your report, including a timely initial response to the submission;
  • Work to remediate discovered vulnerabilities in a timely manner; and
  • Recognize your contribution to improving our security, after remediation and at a time of our choosing if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.

Ground Rules

To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, we ask that you:

  • Play by the rules. This includes following this policy, as well as any other relevant agreements. If there is any inconsistency between this policy and any other relevant terms, the terms of this policy will prevail;
  • Report any vulnerability you’ve discovered promptly;
  • Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
  • Use only the Official Channels to discuss vulnerability information with us;
  • Keep the details of any discovered vulnerabilities confidential until they are fixed, according to the Disclosure Policy;
  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
  • You should only interact with test accounts you own or with explicit permission from the account holder; and
  • Do not solicit payment in exchange for your services.

If a vulnerability provides unintended access to data:

  • Cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), bank account data, credentials, or proprietary information;
  • Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept;
  • Avoid downloading or extracting data of any kind – A screenshot of 3-5 records is sufficient for your Proof of Concept;

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.

Disclosure Policy

Given the sensitive nature of our data and our commitment to our customer’s privacy, we only authorize public disclosure:

  • After the vulnerability has been fully remediated;
  • After CNote has reviewed and approved the disclosure details;
  • And when no sensitive information is included in the disclosure.

PGP Key

-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBF5C6esBEACi1LCv1v4tvAEmJTLFmCu46lo/8gEp0EatqU6uMr7olNug
UiYuDtk3zehiMKjcwB2HQ6yXzVoe044THgB5ODl6Nw5+JLPEKRndEpB0ljtv
ATvV9m/gPDwjln8r/MtZYKZ6S+7bGDDIno/Y8BlPM6+X4T0D8jo5/fBtPvVk
bCq3TkGoZvrcmmPZ661me4y0Bmng9UGHseYiKTVAOPdxzOc1fQixAX+T8Kcg
wzvzeoWTVgsCEUEqcqJNdwCXWDweII3SRRubL5nDpInNhHkbICkrJyam6Hqe
IpxdYkZFymwWSJqXPhy3tfg4KL2teHXaTWxDpZQWGVrpc5PdwKTINX6OEWZ7
9YoGrPJlGc19Wxwm+35EJFRuDbDyXsbC89nLmq50si3JxONUmlhlS39DHWYT
/qPX2uX9IIFo3RK5zP+FJLu3Wf/42l0CSce4NkaTxpPaUW1e2eaNZ1nnkngN
uhSusmCQzd/qBwQQXt2z7Uvy8ABEZ3loVL0H4SW4SgUl09JAar0ASuwOeZa4
gwvPpnRErxHCUcUkouFHscxS6hxIZ0TrEkfA25XP1ZFAlEMkQLHxZmQQq7QN
NrI3q+I2jm9owG+YpO4VY/fAC7nbKcXW5g+9MIsUrIkWI4qQrhC5QaDbp4zE
Kk3KlrY3VDMTJp45Cggf/x9UQU4HhixdvqJxvwARAQABzSVjbm90ZS1zZWN1
cml0eSA8c2VjdXJpdHlAbXljbm90ZS5jb20+wsF1BBABCAAfBQJeQunrBgsJ
BwgDAgQVCAoCAxYCAQIZAQIbAwIeAQAKCRC9nJuMn4+Rc5q9D/4+mm6EZaP0
3RjeyBkINxd4hCMyRmuMReMsgRsbEZmCd1YTrays/EbCWxAlZb+SJPyHuw/Z
NogoKnMGjRFlUnWGYaKjHDAU1grC5LlacgBjEyMf7jn5sCapL1HCxnhroAST
QqBpjezGT/kUCqcjT4zt1uedeJzzsplTUfZIR1dgxJiRmBrAhqlG3lOxKG9S
VqInQPJJM6MptY6wgHYviLwoeF97msY4V8y9b4hqZg4uBrANXCjNyDn5reIx
PNxpP0gKaKaNbMgh7+oJnQfZUuYX4ITrEirt2jAxf0huHGuEU5fhcKGNlfVM
eizbni/ll4fr8csThpxh8GB8/2lk2LdUwoPUnVyP+URkvUixSZcatfmf6ki6
plqcpwk/jzfBPv3EMQ0EXO5vM827tCRkOIcpb3n5Zy9sD/5XW6zXPFhbeEA1
B/zmWo/FGCyNU2obwM9Tpuh4DxCyCmgLjgGUDGvoHtdwt1LO3U31N7pQY3yp
GlUGvFSMq/UkcCNAFKCzyAr9gL1STLXkPCbPXOioUfPYaSJDftxrqqQexNUS
xF1FGmhfP3lsxLMaNk2aryoP4TGflBr0J/GBBxpKt/7WWR4LT1eMTKPK9oLB
/jFrsl8me/hHh6jxz/fqNNaH5pydDvnMEtS37ul5se/7ccmJEnjXNHHv8QX/
AcnqvhX3Ofn4Pc7BTQReQunrARAA2hSw7FAiqxSwhqvmg6/ol+B6SIzPIxTE
1QE6I3f+vp7R9tSMQaZq0GVV53i08zH/xmf/r/qqNTbP/+tJ1LpJagO/PvL8
XX/VkeyFobzMWHbJ6TSNxCn5AhPcO4LXnWke8qIDalHwYCySnFNEJAO2egPV
JGgvL1O7ao1CoXLYUlGRasHTwFy57xJBOrdVH//hJtaQpUX6+f0tbvmfeLwH
YH4Q2+jhzNmuLlpPHf3Acn/zfSgYxA2FdYYgiiLsW+f2kPfMeoy8uddbAqP/
1S7CR8lCj1L3NuF/3GvmgORe3aNUgtqVMW2cAD5yG+YGcnlo1BH0hxFvTLYo
qKyT11IfPGcsNptp8TiE/0wa3E2VxE2VFcDUmW48FQD+FvI6QdVeRfGsD7/j
zsPMOHMLmjOj7J9a+h4zpdIrzGkwgbLihoXLALGZ1r5cJJm3JFjTBarlAiec
fMfjcQ16LKsITZlxeUwlW92cSmdT85CdcQlo/uvZivjpM1xQqdWVau6eiwOt
PJA0dZk56+Qr1vRNy89O0SHxSat+Oi3Z1/YIVj4D41tYgTf95wrMvHsxUYgg
5VvK7L9s0PdEJbZX+X15hPehn5dYNypjGDCGfXvP6AS6p2Nrtc3v19kD6XA4
is7D77fFI2X8E6Pn24ntWHtxE2RtXv62LfC6aJOQBCybOnuUYa8AEQEAAcLB
XwQYAQgACQUCXkLp6wIbDAAKCRC9nJuMn4+Rc7ucD/9LLF1DelJ73EGVt9uy
vytgxGEhJzRztjXQYEws80+jTjru4jqHkvYY/sQaHWgvFokoaKVaJ9c90DMg
EjQmmWa/aKnjTnyJDl3XLC76enm/XWOOWbuw1ndsjozVYO/kgQJ5NLzaUPc4
nku6tp2ESsspHw0tVKped0McHQLUY8qTR2BzuL6pYzfp4SIKlLVcK/PtF8Tt
wcD1k7w1KkiVI71aOQjj/smK4kzqt70t6SWep4AnIgs0GlhUv2cPQDUesjJd
kcIyV8GE0Rvjm7vmPuNL3wp6YGu2nyOV/gSjcx1E9sMjiDkyLivzQIRSJImY
rFe+gW58eysZjfp/IJNjturHR8j6ZCsVjJ88Q8v5i91+e6nC8xnYVZLN1cAo
64iEpkQCy8FITE4wl+/youO3OmomK+efqP1L74cAkMkBJs7SPOfaw7h1laDj
0VSPBdzmnTKNrSUwkia98KrtnziwBXixY6SG81pb78eQRoRPrRNpmNZSQiKN
B0mnECmeIZkYrt2BhayeJkMNskNbbGjoAJBJOMlcMt8cJKTt2DUadVK+KoVu
xEi89Mq7RQPnZvmLoR+dOB3QoiMAgGzshZDn9ArjKD9zHsWVX8EoXNcP8wUl
EBpN2DvynacVj8Uuu5FlqTYLEhGdFx9Aef2Xb1VGCDm+s3+O2cxDe98QDW8Y
lGO/eA==
=1SoT
-----END PGP PUBLIC KEY BLOCK-----