INFUSE Vulnerability Disclosure Program
Effective Date: November 20, 2024
Last Updated: November 20, 2024
INFUSE, Inc. is committed to maintaining the security and privacy of our systems, data, and users. We recognize the importance of cybersecurity and welcome responsible vulnerability reporting that can help us enhance our security posture.
Please read this information carefully before conducting any vulnerability research or submitting a report to ensure that your actions align with our guidelines.
1.0 Program Scope
The scope of this program includes potential vulnerabilities found in INFUSE, Inc.’s cloud-based infrastructure. Since all services and systems are hosted in the cloud, our infrastructure may include but is not limited to the following:
- Public-facing web applications and APIs managed by INFUSE, Inc.
- Cloud storage solutions that house publicly accessible data (no data extraction should be attempted)
- Corporate domains, including *.infuse.com
- Infrastructure hosted on third-party cloud platforms
2.0 Identifying Vulnerabilities
INFUSE, Inc. is interested in reports that demonstrate specific, tangible security impacts. These vulnerabilities include:
- Remote Code Execution (RCE)
- SQL Injection or equivalent injection vulnerabilities that lead to data access
- Cross-site scripting (XSS) that affects user privacy or data
- Server-Side Request Forgery (SSRF)
- Privilege escalation or unauthorized access to systems
- Misconfigured permissions or access controls in cloud storage
- Sensitive data exposure, such as PII (personally identifiable information) or financial data
- Security misconfigurations in cloud infrastructure that lead to data exposure or unauthorized access
- Vulnerabilities of open-source libraries and engines
3.0 Compensation and Recognition
INFUSE, Inc. values your contributions to security. However, as a matter of policy, INFUSE, Inc. will not provide any compensation or award.
4.0 Responsible Disclosure Guidelines
To promote responsible disclosure and ensure the safety of our systems:
- Do Not Access or Modify Data – Access only information necessary to demonstrate the vulnerability. Do not read, modify, or delete any data that does not belong to you.
- Do Not Disrupt – Avoid performing any actions that could disrupt our services, degrade user experience, or risk exposing user data.
- Provide Sufficient Detail – Include proof of concept, relevant screenshots, and detailed descriptions of the exploit steps.
- Allow Reasonable Time for Response – INFUSE, Inc. aims to acknowledge receipt of submissions within 72 hours and will make every effort to address and remediate reported issues promptly.
5.0 Submission Process
- Contact Information: All submissions should be sent to [email protected] with the subject line “Vulnerability Report – [Vulnerability Type].”
- Report Template: To facilitate efficient processing, include the following information in your report:
- Name and Contact Information
- Summary of the vulnerability and potential impact
- Detailed steps to reproduce the issue
- Any relevant scripts, code, or supporting materials (if applicable)
- Severity assessment based on CVSS (if applicable)
- Acknowledgment: INFUSE, Inc. will respond to your report within 72 hours to confirm receipt and will work with you as necessary to address any questions about the report.
6.0 Legal Safe Harbor
INFUSE, Inc. values the role of ethical researchers in maintaining our security standards. Actions conducted in good faith to identify and report vulnerabilities are considered authorized conduct under this program, and we will not take legal action against researchers complying with the program’s terms. However, any activity beyond the scope of this policy may result in legal action.
Thank you for helping us maintain a safe and secure environment at INFUSE!