Security vulnerabilities exist in any software or hardware implementation and therefore the team at Impero is fully committed to working with customers, security researchers and others who wish to offer up improvement ideas, new feature requests or information on perceived security vulnerabilities.
Anyone who has a product improvement or discovers a site or product flaw is encouraged to notify us using the guidelines in 1. below, our objectives being to maintain customer security to balance the achievement of a timely fix with assuring the quality of the work undertaken to achieve it and ensure a safe notification to users and customers as well as safeguarding the rights of third parties.
To maintain a coordinated and collaborative approach and to support ethical and responsible vulnerability reporting practices, we will not pursue legal action if we conclude that any disclosures are and remain in line with the guidelines at 1. below. We would encourage anyone with an interest in researching and reporting security issues to follow our simple guidelines for responsible reporting.
1. guidelines for ethical and responsible reporting
- When testing for a vulnerability respect and do not infringe the rights of third parties.
- Disclose the vulnerability to us first in strict confidence using the reporting procedure in 3 below rather than making it public to peers or online.
- Agree a reasonable amount of time for us to address the issue before sharing it publicly. In default of providing us with a stated time to fix the default delay to resolve is  days from your notification to us but this is to be extendable if we request.
- Provide us with clear and full details of the vulnerability, and tell us precisely how you found it in order for us to reproduce the conditions, verify and validate the flaw.
- Be sympathetic to the fact that a number of the services we use are control, led by third parties and not ourselves. We will report any vulnerabilities in third party software to the relevant partner organizations but we cannot control what they do nor do we condone infringement of the rights held by third parties (including individuals with subject access rights to personal data and owners of rights in software and databases used in or with our systems).
2. unacceptable practices
We do not condone security research that involves the following:
- Utilizing a vulnerability or carrying out activity further than is necessary to establish its existence (e.g. downloading more data than necessary to demonstrate the vulnerability or deleting or modifying any data).
- Potential or actual denial of service of Impero’s applications and systems.
- Brute force attacks to gain access to the system. This is not a vulnerability in the strict sense, but rather repeatedly trying out passwords.
- Requests for remuneration for the reporting of security issues either to Impero Software, or through any external marketplace. Impero does NOT run a bug bounty programme and does not offer compensation for any vulnerabilities that are reported. If requested, and these guidelines are followed, the security researcher will be credited on this page and in the release notes of the software.
3. reporting security vulnerabilities
Please report any security concerns to [email protected] with an email address that we can contact you on should we need to. In some cases we may ask to meet with you for a chat.
We take security very seriously and will respond as quickly as we can to any security issues identified. Please understand that some of our software is very complex and may take a little time to update. We will respect a finder’s work if the guidelines at 1. are adhered to and we will do our best to acknowledge your disclosures and assign the necessary resources to investigate and fix potential problems as quickly as we can.
We will not take legal action against people that identify security vulnerabilities if the ethical, private reporting practices outlined in 1. above are followed and adhered to, so please don’t be afraid to get in touch.