Version 1.0



--- For the Robots --- 

Contact: mailto:security@sitowise.com 

Expires: 2044-03-31T13:00:00.000Z 

Preferred-Languages: en 

--- End for the Robots ---

 

--- For the People ---

 

 

Sitowise Oy is a Finnish consulting company providing expert services in engineering, sustainability, digital solutions, and more. With over 1,900 specialists, Sitowise serves its customers through digital channels and face-to-face at its offices in Finland and Sweden.

 

----------------------------------------------------- Sitowise Responsible Disclosure -----------------------------------------------------

 

Sitowise provides private individuals, corporate customers, and institutions with customer-oriented consulting solutions, based on close collaboration through various channels. The individual needs of each customer are the starting point of everything we do.

 

The primary goals of our Vulnerability Disclosure Program are to ensure safe digital interactions with our end-users, align security with our service development lifecycle, and continually evolve our team's vulnerability management processes. Sitowise is looking forward to collaborating with the security community to find vulnerabilities to keep our operations and our users safe.

 

Participation in the program is subject to the rules below. Please note these rules may change from time to time.

 

Response Targets

 

Sitowise shall make best reasonable efforts to meet the following response times for hackers participating in our program:

 

Type of Response / SLA in business days:

 

 

 

First Response: 2 days

 

 

Time to Triage: 2 days

 

 

Time to Resolution: Depends on severity and complexity.

 

We’ll try to keep you informed about our progress throughout the process.

 

Disclosure Policy and Privacy

 

Follow Sitowise’s disclosure guidelines.

 

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

 

Reporting

 

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.

 

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).

 

Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

 

Test Plan

 

When possible, include a custom HTTP header in the requests. Name of the header: "X-Security-testing" and string "sectesting-" combined with username as a value.

 

 

 

 

Name

 

 

Value

 

 

Example

 

 

 

X-Security-Testing

 

 

sectesting-

 

 

X-Security-Testing: sectesting-researcher1

 

This will help us to find the related log entries.

 

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.

 

Prohibited Activities

 

 

 

Social engineering (e.g., phishing, vishing, smishing)

 

 

DDoS and spam attacks

 

 

Out-of-scope vulnerabilities

 

 

Clickjacking on pages with no sensitive actions

 

 

Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

 

 

Attacks requiring MITM or physical access to a user's device

 

 

Previously known vulnerable libraries without a working Proof of Concept

 

 

Comma Separated Values (CSV) injection without demonstrating a vulnerability

 

 

Missing best practices in SSL/TLS configuration

 

 

Any activity that could lead to the disruption of our service (DoS)

 

 

Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

 

 

Rate limiting or bruteforce issues on non-authentication endpoints

 

 

Missing best practices in Content Security Policy

 

 

Missing HttpOnly or Secure flags on cookies

 

 

Double HttpOnly or Secure flags on cookies

 

 

Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

 

 

Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

 

 

Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)

 

 

Tabnabbing

 

 

Open redirect - unless an additional security impact can be demonstrated

 

 

Issues that require unlikely user interaction

 

In-scope Vulnerabilities

 

Everything that is not explicitly prohibited

 

Safe Harbor

 

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

 

Thank you for helping keep Sitowise and our users safe!

 

GDPR Rights

 

 

Access to or obtaining a copy of personal data

 

 

Correction of invalid information

 

 

Deletion of data or restriction of its processing, unless Sitowise has a requirement to maintain the information based on legislation

 

Personal data may only be stored for as long as necessary for the purposes of processing, i.e., until the issue has been solved.

 

Additional information on processing of personal data is available from Sitowise’s Data Protection Officer, tietosuoja@sitowise.com. Appeal to the supervisory authority of the Member State in which the person is domiciled or employed or where the alleged data protection infringement took place.

 

----------------------------------------------------- End of Sitowise Responsible Disclosure -----------------------------------------------------

 

--- End for the Humanoid ---