Reporting a Vulnerability
Vulnerability Disclosure Program
Introduction
At Modica, we provide our clients with secure, high volume, enterprise messaging solutions. We value security and recognise the importance of ensuring the integrity and confidentiality of global communications.
Modica welcomes feedback from security researchers and the general public to help improve the security of our digital assets. If you believe you have discovered a security vulnerability (see definition below), a privacy issue, or exposed data in any of our assets, we want to hear from you. This document outlines the rules relating to Modica’s Vulnerability Disclosure Programme, including steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.
Definition of a Vulnerability
Modica considers a security vulnerability to be a genuine weakness in one of our products or our infrastructure that could allow an attacker to impact the confidentiality, integrity, or availability of our data, product or infrastructure.
Systems in Scope
Modica’s Vulnerability Disclosure Programme applies to any digital assets owned, operated, or maintained by Modica.
Out of Scope
- Services, assets or other equipment not owned by Modica.
Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate third party, vendor or applicable authority.
Our Commitments
When working with us in accordance with the rules of our Vulnerability Disclosure Programme, you can expect us to:
- Respond to your report within a reasonable timeframe taking into account the potential severity of the vulnerability, and work with you to understand and validate your report;
- Strive to keep you informed about the progress of the assessment of a vulnerability as it is processed;
- Work to remediate confirmed vulnerabilities in a timely manner, within our operational constraints; and
- Extend Safe Harbour for your vulnerability research that is related to Modica’s Vulnerability Disclosure Programme.
Our Expectations
In participating in our vulnerability disclosure programme, we expect you to operate in good faith at all times and ask that you:
- Play by the rules set out in this document and any other relevant agreements. If there is any inconsistency between this document and any other applicable agreements relating to vulnerability disclosure, the rules in this document will prevail.
- Report any potential vulnerability you’ve discovered promptly;
- Do not violate the privacy of others, disrupt our systems, destroy data, and/or harm user experience.
- Only use the official channels noted below to report and discuss vulnerability information with us.
- Do not disclose any identified vulnerability publicly.
- Only perform testing on in-scope systems, and respect systems and activities which are out-of-scope.
- If a vulnerability provides unintended access to data:
- limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept (PoC); and cease testing and submit a report immediately if you encounter any at risk user personal information or Modica proprietary information;
- Do not engage in extortion. If you attempt to engage in extortion, we may notify relevant regulatory bodies and/or law enforcement
Official Channels
Please report security issues via support@modicagroup.com, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue. It is important to use this official channel as it is secured through the use of appropriate encryption.
At the minimum, please include the following information in your report:
- Type of issue (cross-site scripting, SQL injection, remote code execution, etc.).
- Product and version with the bug or a URL if dealing with a cloud service.
- The potential impact of the vulnerability (i.e. what data can be accessed or modified).
- Step-by-step instructions or PoC to replicate the issue.
Safe Harbour
If you act in good faith and follow the rules of Modica’s Vulnerability Disclosure Programme when conducting vulnerability research, we will:
- Keep all information that you share with us confidential within Modica and our directly contracted suppliers and partners, unless we are required to disclose the information under applicable law.
- Not initiate legal action against you.
You are expected, as always, to comply with all applicable laws. If at any time you have concerns or are uncertain whether your security research is consistent with our security vulnerability programme, please contact us through our official channel before going any further.
Note that the Safe Harbour applies only to legal claims under the control of Modica, and does not bind third parties.
Need more information?
Please contact us through our official channel (support@modicagroup.com) if you need more information or have any questions. If you’re concerned about email security you can send a PGP encrypted message to our team.
Acknowledgements
Modica appreciates the professionalism and support of all the security researchers who have helped us.
Below are the researchers who agreed to be publicly acknowledged for their effort.
Name & Profile