Legal
Responsible Disclosure Policy
Last Updated: Sep 18, 2024 (view the prior version here.)
At Plivo, we take the security of our systems seriously and value the contributions of the security research community. Our responsible disclosure policy promotes the safe discovery and reporting of vulnerabilities, ensuring the security and privacy of our users. If you are a security researcher, please follow the guidelines below to report vulnerabilities.
Disclosure Process
Please ensure that your security testing does not violate privacy, degrade the user experience, disrupt production systems, or result in any destruction or manipulation of data.
Use exploits only to the degree necessary to validate the presence of a vulnerability. Do not exploit a vulnerability in a way that compromises or exfiltrates data, establishes persistent access, or pivots to other systems.
Do not disclose any vulnerabilities, such as by creating a blog, sharing the report or proof of concept (PoC) on social media (e.g., Twitter), or through third parties, without our prior written consent. Instead, report them directly to [email protected].
Type of issue we are looking for
- Remote Code Execution (RCE)
- Server-Side Request Forgery (SSRF)
- SQL Injection
- Cross-Site Scripting (XSS)
- Authentication or authorization issues
- Privilege escalation
- Data leakage
- Business logic vulnerabilities
- Security misconfigurations
- Any other issues that could compromise user data or system integrity.
Inscope
- Plivo.com and its subdomains.
- Plivo’s products and services
Out of Scope
The following are considered out of scope:
- Findings derived from physical testing (e.g., office access, open doors, tailgating).
- Findings derived from social engineering (e.g., phishing, vishing).
- UI and UX bugs, spelling mistakes.
- Network-level denial-of-service (DoS/DDoS) vulnerabilities.
- Automated vulnerability scanner reports (e.g., Nuclei, Zap, Burpscan Report, etc.).
- Disclosure of server or software version numbers.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms that do not involve sensitive actions
- Subdomain takeovers without supporting evidence.
- Session invalidation when the credential is already known.
- Missing rate limits and Self-XSS that cannot be used to exploit other users.
- MITM (Man-in-the-Middle) or physical access to a user's device.
- CORS misconfigurations on non-sensitive endpoints.
- Missing security headers and cookie flags.
- Password policy best practice issues.
- Tabnabbing and Clickjacking.
- Open redirect - unless an additional security impact can be demonstrated
- Email spoofing, SPF, DMARC, or DKIM issues.
- Content Spoofing, Text injection, or IDN homograph issues without impact.
- Missing best practices in SSL/TLS/CAA configuration.
- Disclosing API keys without proven impact.
- Banner grabbing, Version disclosure, or Path Disclosure.
- UserId/email enumeration.
- Issues related to Exif data and XMLRPC.
- HTTP Request smuggling without any proven impact.
- Hyperlink injection in emails.
- Use of a known-vulnerable library without proven impact.
- Public zero-day vulnerabilities with an official patch available for less than one month
- Leaked credentials in the dark web or credential dumps.
Things we do not want to receive
Under no circumstances should the following information of individuals be submitted, including but not limited to Plivo customers and employees:
- Personally identifiable information (PII)
- Credit card or payment information
How to Report a Security Vulnerability
If you believe you have discovered a security vulnerability in one of our products or platforms, please report it to [email protected]. Your report should include the following details:
- A description of the vulnerability and its potential impact.
- A detailed explanation of the steps needed to reproduce the vulnerability.
- If possible, include proof-of-concept (POC) scripts, screenshots, or screen recordings to help us identify and resolve the issue more efficiently.
Response & Determination on Exploitability
We aim to provide an initial update within 10 working days, and we will address all vulnerabilities based on their internal priority and criticality.
Plivo retains the sole discretion to determine whether a reported vulnerability is exploitable and the level of risk it presents. While we value and encourage input from the security community, our security team will make the final decision regarding the issue's exploitability, classification, and priority.