Responsible Disclosure Policy

At Emburse we consider the security of our systems a top priority. But no matter how much effort we put into system security; it might be possible that you find a vulnerability.

How to Report a Vulnerability

Please follow these steps to report a vulnerability:

  • Email: Send your findings to responsibledisclosure@emburse.com.
  • Provide Information: Include details such as the IP address or URL of the affected system, a description of the vulnerability, and any further explanation or Proof of Concept (PoC) if needed.
  • Contact Details: Share your contact information for further correspondence. You can also report a weakness anonymously or under a pseudonym, but then we’re unable to consult you, credit you, or consider the report reward eligible.

Rules of Engagement

Do:

  • Report the vulnerability as quickly as reasonably possible.
  • Provide Emburse a reasonable amount of time to address the issue.
  • Include all necessary details to reproduce and understand the vulnerability, aiding in a swift resolution.
  • Conduct your investigation using methods that minimize the risk to systems, data, and users.
  • Maintain open communication with us during the investigation and resolution process, respecting confidentiality requirements.
  • Allow adequate time for Emburse to address and resolve the reported issue.

Do Not:

  • Share information outside of communications with Emburse about the security problem until resolved.
  • Utilize attacks on physical security, social engineering, phishing, denial of service, spam, or third-parties.
  • Install back doors or malware.
  • Take advantage of, delete or modify other people’s data.
  • Alter the system, configurations, or repeatedly access the same.
  • Use brute force techniques, like repeated password entries.


Specifically Out of Scope:

  • Anything resolving to a third-party service
  • Issues that we are already aware of
  • Issues that don’t affect current versions of web browsers
  • Issues that necessitate incredibly unlikely user actions
  • Information disclosures that are not a risk
  • Best practice recommendations

What We Promise:

Emburse commits to:

  • Acknowledgement: Sending an automated confirmation of receipt within 24 hours.
  • Evaluation: If the reported issue is relevant and specific, we will respond with an evaluation and an expected resolution date as soon as possible. Please note that submissions considered to be of low quality, in line with a best practice recommendation, are discernibly out of scope, or otherwise confusing may not receive further communication beyond the initial automated acknowledgement.
  • Quality Expectations: We deeply value and encourage detailed and skilled security testing. To ensure that our resources are focused on addressing significant vulnerabilities, we may be unable to fully engage with reports that lack human analysis or are generated solely by automated tools. We kindly request that submissions reflect a thoughtful investigation, clear understanding, and provide genuine insight into potential vulnerabilities.
  • Confidentiality: Handle your report with strict confidentiality and not pass on your personal details to third parties without permission, unless necessary to comply with legal obligations.
  • Legal Protection: If you discover a weakness and investigate it, you might perform actions that are punishable by law. If you observe the rules for reporting weaknesses in our (IT) systems, we will not report your offense to the authorities
  • Collaboration: If applicable, we will keep you informed and work collaboratively with you on the reported issue.

By outlining these promises, we're aiming to ensure clear communication with those who are engaging with our responsible disclosure program.

Third-party Bugs

If issues reported to us affect a third-party library, external project, or another vendor, Emburse reserves the right to forward details of the issue to that party. We will do our best to coordinate and communicate with you through this process.

Reward

Emburse may offer a reward based on the following criteria:

  • Caution: The care and precision taken in your investigation.
  • Quality: The overall quality and insightfulness of your report.
  • Impact: The amount of potential damages prevented as a result of your report.
  • Adherence: Compliance with the guidelines of this responsible disclosure agreement.
  • Disclosure: Disclosures that put Emburse or our clients at risk are not eligible for rewards.

Please note the following:

  • Anonymous Reports: Submissions made anonymously or under a pseudonym will not be considered eligible for rewards. We value transparency and the opportunity to collaborate with researchers, and this requires known contact information.