OnviSource Responsible Disclosure Program

We take the security of our systems, products, employees, and customers’ information seriously.  We value and appreciate the security community, and encourage security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to OnviSource, Inc. (referred to herein as OnviSource or 'we'/'us'/our')

 

This vulnerability disclosure program aims to: 

• Value security researchers who conduct the vulnerability tests are fully compliant with this document and responsibly disclose vulnerabilities to us

• Explain how we will manage disclosed vulnerabilities (including requirements for "safe harbor")

• Give both Customers and researchers confidence in our process to ensure our customers, their data, and the internet at large remain as secure as possible

​

OnviSource requires all researchers to:

• Make a good faith effort to avoid violations of privacy, degradation of user experience, disruption to production systems, and destruction of data during security testing

• Refrain from overly broad use of automated scanning tools. We understand that scanning tools are an important first step, however, please aim to minimize impact. (and be sure to read the Out of Scope below)

• Perform research only within the scope set out below

• Do not engage in any activity that can potentially or actually cause harm to OnviSource, our customers, or our employees

• Do not store, share, compromise or destroy OnviSource or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact OnviSource as specified below. This step protects both potentially vulnerable data and you

• Do not engage in any activity that violates A) International Law B) US Federal and State Laws or C) the laws or regulations of any country where 1) data, assets or systems reside, 2) data traffic is routed or 3) the researcher is conducting research activity

• Only interact with accounts you own or with explicit permission of the account holder

• Perform research only within the scope set out below

• Use the below listed communication channel to report vulnerabilities to us

• Keep information about any vulnerabilities you have discovered confidential between OnviSource and yourself. Wait for our consent to discuss a vulnerability with other parties outside of OnviSource.

 

In Scope Targets

• onvisource.com or www.onvisource.com

• any system reachable at a *.onvisource.com subdomain 

​​

Out of Scope

The following attacks/activities are out of scope:

• Any findings from applications or systems not listed in the ‘Scope’ section

• Rate Limiting attacks (Including brute forcing accounts, DoS, DDoS, or account enumeration)

• Missing best practices in SSL/TLS configuration

• Missing best practices in Content Security Policy (CSP)

• Missing security headers that don’t directly lead to a vulnerability or account compromise

• Presence of common public files, such as robots.txt or files in the well-known directory

• Missing DNS and email best practices (invalid, incomplete or missing DNSSEC/SPF/DKIM/DMARC records, etc.)

• Information disclosure including software version disclosure, banner identification issues, descriptive error messages or headers (e.g. stack traces, application or server errors)

• Password policy issues, including lack of upper limit on passwords

• Self-exploitation issues (such as self XSS, cookie reuse, self-denial of service, etc.)

• XSS that requires a file to be opened in another browser tab or window

• Attacks requiring Man-in-the-middle (MITM) or physical access to a user's device

• Vulnerabilities affecting users of older browsers (more than two versions behind the current stable version)

• Previously known vulnerable libraries (including prototype pollution) without a working Proof of Concept that demonstrates a meaningful exploit or account compromise

• Clickjacking issues, without a working Proof of Concept that demonstrates a meaningful exploit or account compromise

• Blind Server-Side Request Forgery (SSRF), without a working Proof of Concept that demonstrates a meaningful exploit or account compromise

• UI and UX bugs (including spelling mistakes or broken links)

• Any social media accounts or accounts based on another provider's services

• OSINT information

• For AI features, engineered prompts or submissions to evoke inappropriate responses

Actions that you should not undertake under any circumstances:

• You shall not perform physical testing such as office/datacenter access (e.g., open doors, tailgating)

• You shall not impersonate or perform social engineering attacks on OnviSource personnel or customers (including phishing/vishing)

• You shall not exfiltrate any data under any circumstances

• You shall not intentionally compromise the privacy or safety of OnviSource personnel or any third parties

• You shall not intentionally compromise the intellectual property or other commercial or financial interests of any OnviSource personnel, entities, or third parties 

• You shall not perform any attacks against other users of OnviSource’s solutions

​​

Failure to adhere to any of the above requirements, directly or indirectly,  may void any "safe harbor" offered by OnviSource and will provide OnviSource with the rights to use all remedies available to OnviSource to take legal actions against you, your agents, partners, and your constituents.

​

“Safe Harbor”:

​

If you follow these requirements when reporting an issue to us, we commit to:

• Not pursue or support any legal action related to your research unless you have violated the terms and requirements specified in this document

• Work with you to understand and resolve the issue quickly and using our commercially reasonable efforts (including an initial confirmation of your report)

• At OnviSource sole discretion, engage a neutral third party to assist if communications or other problems arise

• Use commercially reasonable efforts to make a code or configuration change based on the issue (Note time to remediate will vary based on the complexity and level of risk)

• If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take commercially reasonable steps to make it known that your actions were conducted in compliance with this policy. 

• OnviSource will not offer, under any circumstances or conditions, any monetary rewards or any compensation of any kind to you or any other third party engaged or not engaged in the vulnerability test process

 

Disclosure details:

 

To report any findings consistent with this policy, please contact OnviSource here: security-disclosure[at]onvisource[.]com

 

If you wish to encrypt your submission, please do so using the public key found here: public key

​

Note: Submissions from those subject to international sanctions will be immediately dismissed by OnviSource. 

 

Modified Date: 2025-04-03