Deskera Responsible Disclosure Reward Program

Policy

Deskera Singapore Pte. Ltd. (“Deskera”) is committed to keeping our customers’ data secure and maintaining our systems and processes. The Deskera Responsible Disclosure Reward Program (“Program”) is open to the public. Any security researcher can take part and report potential security vulnerabilities in Deskera’s products and services to Deskera according to the Program’s Terms and Conditions, as set forth on this page. By participating in the Program, you acknowledge that you have read and agreed to the Program’s Terms and Conditions.

Definitions

Security Team: Deskera’s appointed team of individuals who are responsible for addressing security issues found in Deskera’s products or services.

Report: Your description of a potential security vulnerability in Deskera’s product or services that is submitted to Deskera as part of the Program.

Scope

This Program covers all Deskera Applications, which are as follows:

Eligibility Requirements

To be eligible for the Program, you must not:

  • Be in violation of any national, state, or local law or regulation and your testing must not violate any law, or disrupt or compromise any data that is not your own;
  • Be employed by Deskera or its affiliates;
  • Be an immediate family member of a person employed by Deskera or its affiliates, or of a former employee of Deskera within sixth months prior to submitting a Report;
  • Be a former employee of Deskera within sixth months prior to submitting a Report, or
  • Be less than 18 years of age. If you are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in the Program.

You must be reporting in an individual capacity or, if employed by another company, you have your company’s approval to submit a Report to this Program. If Deskera discovers that you do not meet any of the criteria above, Deskera will remove you from the Program and disqualify you from receiving any reward payments.

Disclosure Program Guidelines

Failure to follow the Disclosure Program Guidelines below will result in your immediate disqualification from the Program and ineligibility for receiving any reward payments.

  • Do not engage in any testing that (i) results in a degradation or disruption of Deskera’s systems, (ii) results in an alteration or deletion of any information in Deskera’s systems, (ii) results in you, or any third party, accessing, storing, sharing, compromising or destroying Deskera’s data or Deskera’s users’ data, or (iii) results in any disruptive or destructive impact on Deskera’s systems, such as but not limited to, denial of service, social engineering, spam, brute force, or third party hacking/scanner applications to target websites.
  • Do not engage in automatic testing.
  • Follow the Report Process. Contacting our sales or support team (hello@deskera.com, sales@deskera.com, support@deskera.com or implementation@deskera.com) will result in an immediate disqualification for a reward for that Report.
  • Follow the Vulnerability Disclosure Process and keep confidential any information about discovered vulnerabilities.
  • Combine reports if the same or similar root cause affects multiple endpoints, subdomains or assets.

Report Process

Please submit your Report via email to security@deskera.com. Prefix the subject of your email with [Deskera Responsible Disclosure Reward Program]. In your Report, please include the following information:

  1. Description of the location and potential impact of the vulnerability.
  2. Detailed description of the steps required to reproduce the vulnerability. Proof of concept (POC) scripts, screenshots, and screen captures are all helpful. Please use extreme care to properly label and protect any exploit code.
  3. Any other technical information and related materials we would need to reproduce the issue.
  4. Any potential remediation.

Vulnerability Disclosure Process

Prior to the resolution of vulnerabilities in the Report, the Report will remain non-public to allow the Security Team sufficient time to remediate the vulnerability. The Security Team will make effort in good faith to resolve the vulnerability in the Report in a prompt and transparent manner. Deskera reserves the right to not publicly disclose the Report if Deskera does not find the Report credible or high risk, and decides not to remediate the vulnerability. Deskera also reserves the right to reject, redirect or prioritise any Reports at any point in time. After resolution of vulnerabilities in the Report, public disclosure may be requested by either the Security Team or you and the Report may be disclosed based on mutual agreement and on a coordinated disclosure basis (respective public disclosures to be posted simultaneously).

Disclosure of the Report may also be made subject to the terms below:

  • If the Security Team has evidence of active exploitation or imminent public harm, the Security Team may immediately provide remediation details to the public so that users can take protective action.
  • Due to complexity and other factors, some vulnerabilities will require longer than the default 60 days to remediate. In these cases, the Report may remain non-public to ensure the Security Team has an adequate amount of time to address a security issue. The Security Team will remain in open communication with you when these cases occur.
  • If any law requires disclosure of any content of the Report to the public, Deskera’s customers or the regulator (e.g. Singapore’s Personal Data Protection Act 2012), the Security Team may immediately disclose the Report.

Disclosure Rewards

You will be eligible for a reward if: (i) you are the first person to submit the vulnerability; (ii) that vulnerability is verifiable, replicable, and determined to be a valid security issue by the Security Team; and (iii) you have complied with all the Program’s Terms and Conditions. Deskera determines the amount of the reward, based on the following:

  • The caution taken in your investigation;
  • The quality of your Report; and
  • The amount of potential damages prevented as a result of your Report.

All reward decisions are up to the discretion of Deskera and are final. Deskera will review Reports of duplicate vulnerabilities to see if they provide additional information and reward accordingly, but otherwise only reward the first reporter if there is any ambiguity. In case of any ambiguity, (in issues such as whether multiple faults constitute a single bug, or who is the first report etc.), Deskera shall have the discretion to decide what is the course of action and its decisions may not be contested by you. Multiple vulnerabilities caused by one underlying issue will be considered as duplicate vulnerabilities, and only the first reporter will be eligible for the reward. Deskera will inform you if you are eligible for the reward. The format and timing of the reward payment shall be determined by Deskera. The reward payment will be made in Singapore Dollars (SGD). You will be responsible for the payment of any taxes associated with the reward received. Deskera may require your personal particulars before payment of the reward. The following guidelines give you an idea of what Deskera will usually pay out for different tiers of bugs. The minimum reward for an eligible Report is SGD 50 and the maximum reward for an eligible Report is SGD 500. Deskera shall have the sole discretion to determine the size of the reward, and the following tiers while indicative, are not binding upon Deskera:

Tier 3: Low Severity Bugs SGD 50 and up

  • Mixed content issues
  • Server misconfiguration or provisioning errors
  • Information leaks or disclosure (excluding customer data)
  • “Tab-Nabbing" or other rel="noopener" bugs
  • And other low-severity issues

Tier 2: Medium Severity Bugs SGD 100 and up

  • Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF)
  • Broken Authentication affecting a single team
  • Privilege Escalation affecting a single team
  • SSRF to an internal service, hosted by Deskera
  • Information leaks or disclosure (including customer data)
  • And other medium-severity issues

Tier 1: High Severity Bugs SGD 250 and up

  • XSS

Tier 0: Critical Severity Bugs SGD 500 and up

  • SQL Injection
  • Remote Code Execution
  • Privilege Escalation affecting all teams
  • Broken Authentication affecting all teams
  • SSRF to an internal service, with extremely critical impact (e.g. immediate and direct security risk)
  • And other critical-severity issues

Exclusion

The following are unlikely to be eligible for a reward:

  • Issues found through automated testing
  • “Scanner output" or scanner-generated reports
  • Publicly-released bugs in internet software within 3 days of their disclosure
  • “Advisory" or “Informational" reports that do not include any Deskera-specific testing or context
  • Vulnerabilities requiring physical access to the victim’s unlocked device
  • Rate limits
  • Denial of Service attacks
  • Brute Force attacks
  • Spam or Social Engineering techniques, including:
  • SPF, DKIM, and DMARC issues
  • Content injection
  • Hyperlink injection in emails
  • IDN homograph attacks
  • RTL Ambiguity
  • Content Spoofing
  • Issues relating to Password Policy
  • Full-Path Disclosure on any property
  • Version number information disclosure
  • Clickjacking on pre-authenticated pages, or the non-existence of X-Frame-Options, or other non-exploitable clickjacking issues (An exploitable clickjacking vulnerability requires a) a frame-able page that is b) used by an authenticated user and c) which has a state-changing action on it vulnerable to clickjacking/frame re-dressing)
  • CSRF-able actions that do not require authentication (or a session) to exploit
  • Reports related to the following security-related headers:
  • Strict Transport Security (HSTS)
  • Self-XSS
  • XSS mitigation headers (X-Content-Type and X-XSS-Protection)
  • X-Content-Type-Options
  • Content Security Policy (CSP) settings (excluding nosniff in an exploitable scenario)
  • Open ports without a vulnerability
  • Bugs that do not represent any security risk
  • Security bugs in third-party applications or services (including those built using Deskera APIs) – please report them to the third party that built the application or service
  • Security bugs in software related to an acquisition for a period of 90 days following any public announcement

Responsible Disclosure Policy and Privacy

Deskera pledges not to initiate any legal action against you if you have complied with the Program’s Terms and Conditions in good faith. Deskera will not share your personal details with others without your express permission.

Ownership of Reports

As between Deskera and you, as a condition of participation in the Program, you hereby grant Deskera a perpetual, irrevocable, worldwide, royalty-free, transferrable and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Report, as well as any materials submitted to Deskera in connection therewith, for any purpose. You hereby represent and warrant that the Report is original to you and you own all right, title and interest in and to the Report. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Report to Deskera.

Termination

In the event Deskera determines, in its sole discretion that your continued participation in the Program could adversely impact Deskera (including, but not limited to, presenting any threat to Deskera’s systems, security, finances and/or reputation), Deskera may immediately terminate your participation in the Program and disqualify you from receiving any reward payments.

Confidentiality

Any information you receive or collect about Deskera or any Deskera user through the Program (“Confidential Information”) must be kept confidential and only used in connection with the Program. You may not use, disclose or distribute any such Confidential Information without Deskera’s prior written consent.

Indemnification

You hereby agree to defend, indemnify and hold Deskera, its affiliates and the officers, directors, agents, joint ventures, employees and suppliers of Deskera, harmless from any claim or demand (including legal fees) made or incurred by any third party due to or arising out of your Report, your testing, your breach of these Program Terms and Conditions, and/or your improper use of the Program.

Changes to Program Terms and Conditions

The Program, including its policies, is subject to change or cancellation by Deskera at any time, without notice. As such, Deskera may amend these Program Terms and Conditions and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Program after Deskera posts any such changes, you accept the Program Terms and Conditions, as modified.

Other Terms

  • Nothing in this Program shall create any relationship of agency, partnership, association or joint venture between you and Deskera.
  • Deskera will not be liable to you for loss or damage of any kind caused by any action that is taken or not taken by Deskera in relation to the Program.
  • Deskera will not be obliged to consult you for any public statements that Deskera considers necessary to release.
  • Deskera will not provide you any protection or immunity from civil or criminal liability.
  • In case of any dispute, Deskera's decision will be final and binding to all the parties.
Great! Next, complete checkout for full access to Deskera Blog
Welcome back! You've successfully signed in
You've successfully subscribed to Deskera Blog
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated