Blue Lava takes our responsibility to protect our sensitive information seriously. We encourage security researchers to report vulnerabilities they’ve discovered to us. This policy is in place so we can address any identified vulnerabilities and keep our information safe. This policy describes what systems and types of research are covered and how to send us vulnerability reports.
We ask that all researchers:
- Email your findings to security at bluelava dot io.
- Do not attempt to access customer or employee personal information. If you accidentally access any of these, please stop testing and alert us to the vulnerability.
- If you gain access to any non-public application or credentials, stop testing and report the issue immediately.
- Do not attempt to degrade our users’ experience, disrupt production systems, or destroy data during security testing.
- Do not collect information beyond what is necessary to document and demonstrate the vulnerability.
- Do not reveal the problem to others unless given explicit permission by Blue Lava.
- Do not use physical security attacks, social engineering, phishing, denial of service, or spam as part of your testing.
- Provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
- Securely delete any Blue Lava information that is downloaded, cached, or otherwise stored on the systems used to perform the research.
In return, Blue Lava:
- Will respond to your report in a timely manner. We strive to have an initial response within 1 business day and to provide additional details/evaluation within 3 business days.
- If you have followed the instructions above, will not take any legal action against you in regard to the report.
- Will handle your report with strict confidentiality and will not pass on your personal details to third parties without your permission.
- Will keep you informed of the progress towards resolving the problem.
- In the public information concerning the problem reported, will give your name as the discoverer of the problem (if you’d like).
- If you are the first to report the issue and we make a code or configuration change to address your report, will add your name to our Security Researcher Hall of Fame.
We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved. To encourage responsible disclosure, Blue Lava will not bring a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meets these requirements and guidelines.
- www.bluelava.io (Website)
- se.portal.bluelava.io (Please do not test other subdomains of portal.bluelava.io)
Out of Scope
- Third-party websites or systems hosted by non-Blue Lava entities
- Individual customer portal instances (Any subdomains of portal.bluelava.io with the exception of se.portal.bluelava.io)
Examples of vulnerability types we’d encourage researchers to look for:
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- SQL Injection (SQLi)
- Remote Code Execution
- Authentication-related issues
- Authorization-related issues
- Data Exposure
- Business Logic Flaws
Excluded Vulnerability Types:
- Physical testing
- Social engineering
- Cookies remaining valid after logout or password change
- Serving static content over HTTP
- Resource exhaustion, brute force, DoS, or DDoS attacks
- Internal IP address disclosure
- Same-site scripting
- Weak password policies
- Weak captcha / captcha bypass
- Vulnerabilities impacting only old/end-of-life browsers/plugins
- Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in the security of Blue Lava systems or software (e.g. UXSS)
- Vulnerability reports related to the reported version numbers of web servers, services, or frameworks
- Vulnerability reports relating to sites or network devices not owned by Blue Lava
- Vulnerability reports that require a large amount of user cooperation to perform
- Any submissions received without evidence of an exploitable vulnerability