<img src="https://queue.simpleanalyticscdn.com/noscript.gif" alt="" referrerpolicy="no-referrer-when-downgrade">

Report vulnerabilities

Report vulnerability
At ChannelEngine, we consider the security of our systems a top priority. There can however be vulnerabilities present regardless of how much effort we put into system security. ChannelEngine would like to ask you to help us better protect our client’s data and product. If you discover a vulnerability, we would like to know about it so that we can take steps to address it as quickly as possible.

Steps to take once you discover a vulnerability or a security incident:
  • Send your findings to ChannelEngine via the “Report vulnerability” link at the top of the page. Encrypt your findings to prevent this critical information from falling into wrong hands.
  • Provide sufficient information to reproduce the problem, so that we are able to resolve it as quickly as possible.Usually, the IP address or the URL of the affected component and a description of the vulnerability will be sufficient. More complex vulnerabilities may require further explanation and a simple proof of concept. 

What not to do:
  • Do not exploit the vulnerability discovered, for example by downloading more data than necessary, deleting or modifying any data for proof of concept.
  • Do not reveal the vulnerability to other parties, besides ChannelEngine, even after it has been resolved, and,
  • Do not use attack vectors such as physical security, social engineering, distributed denial of service, spam or applications of third parties.

What we promise:
  • ChannelEngine security team will respond to your report within  business days with an update of the report.
  • If you have followed the instructions above, ChannelEngine will not take legal action against you regarding the report.
  • ChannelEngine will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
  • ChannelEngine commits to give your name credit as the discoverer of the problem, unless you desire otherwise.
  • As a token of our gratitude for your assistance, we offer a reward for every report of a vulnerability that was not yet known to us and labeled as a vulnerability.
  • ChannelEngine will not reward any vulnerabilities that are already tracked.
  • The amount of reward will be determined based on the severity of the leak and the quality of the report as below:
  • ChannelEngine aims to resolve all problems as quickly  as possible , and we would like to play an active role in the ultimate publication of the problem after it is resolved. 

Out of scope:
  • HTTP 404 or 403 error codes/pages or other non-200 codes/pages and content spoofing/Text injection on these pages.
  • Fingerprint version banner disclosure on common/public services.
  • Disclosure of known public files or directories or non-sensitive cookies (e.g. Robots.txt, README.TXT, CHANGES.TXT).
  • Descriptive error messages (e.g. path disclosure)
  • OPTIONS HTTP method enabled.
  • Older versions of software products without known exploits.
  • Weaknesses in third party services (e.g. CDN providers, identity providers).
  • Anything related to HTTP security headers e.g.
    • Strict-transport security
    • X-frame-Options
    • X-XSS-Protection
    • X-Content-Security-Policy
    • Content-Security-policy
    • TLS/SSL issues (e.g. insecure negotiation, bad cipher suites, expired certificates, etc).
    • SSL forward secrecy is not enabled
    • Weak/Insecure cipher suites
    • SPF, DKIM, DMARC issues.
    • Host header injection.
arrow_upward