Hornetsecurity Vulnerability Disclosure Policy

Hornetsecurity recognizes the importance of independent security research in order to keep everyone on the internet save and secure. The purpose of this vulnerability disclosure policy is to ensure the safety and security of Hornetsecurity’s systems and technologies. This policy outlines the requirements for disclosing security vulnerabilities and provides guidance on the process for discovering and reporting vulnerabilities.

Investigating Vulnerabilities

  • Please test for bugs and vulnerabilities responsibly:
  • Limit your testing and exploitation of vulnerabilities to the absolute minimum required, i.e. instead of dumping a whole database, only query for single entries to perform spot checks.
  • Whenever possible, exploit accounts that you yourself own and operate. Do not try to access other people’s data.
  • Only use non-destructive payloads.
  • Do not test for (D)DoS.
  • Do not perform test that put heavy load on our systems.
  • Do not perform tests on third-party systems that are not hosted by Hornetsecurity.
  • Do not perform non-technical attacks (e.g. Phishing) against our employees, customers or users.

Systems in Scope

This policy applies to any digital assets owned, operated, or maintained by Hornetsecurity.

Out of Scope

  • Assets or other equipment not owned or operated by Hornetsecurity.
  • Third party tools or software not hosted by Hornetsecurity.

Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.

Disclosure Requirements

When Hornetsecurity discovers vulnerabilities in third-party applications, we follow the coordinated responsible disclosure process. When you discover a vulnerability in one of our systems, we also would like you to report it responsibly, timely and exclusively to us to allow for analysis and remediation/mitigation. Likewise, when we receive a vulnerability report, we will carefully examine its content and – if applicable – take action to mitigate the issue.

  • In your report, please outline a detailed summary of the issue you’ve found, mentioning (if applicable):
  • type of the issue
  • the affected system (URL, IP, …)
  • product and software version
  • step-by-step instructions to reproduce the issue
  • proof-of-concept
  • impact estimation
  • possible exploitation scenario
  • suggested mitigation/remediation

Please refrain from sending automated reports or a high quantity of low-effort reports. Hornetsecurity reserves the right to ignore such reports at our discretion.

Reporting & Mitigation Process

Any vulnerability must be disclosed exclusively to the address mentioned in https://hornetsecurity.com/.well-known/security.txt. Hornetsecurity will triage your report and confirm, request more information or reject the report within 14 days.

Hornetsecurity aims to mitigate/remediate any reported issue within 120 days. Once the mitigation/remediation is in place, you will get notified and potentially asked for confirmation that the issue is properly fixed. Please allow us this time frame to resolve the reported issue before you disclose it publicly.

Updates to This Policy

This policy and the outlined vulnerability disclosure program might get updated or cancelled at any time. Any decisions regarding the handling of vulnerability reports is at our discretion.

Official Channels

Please report security issues via the channels mentioned in https://hornetsecurity.com/.well-known/security.txt, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue.

Safe Harbor

When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:

  • Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
  • Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.

Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.