Responsible Disclosure Program

Do not perform any of the following or you may be banned from our Responsible Disclosure program, with the possibility of legal action.

• Selling or sharing vulnerability details
• Public disclosures without coordination
• Demanding of payment
• Use of extortion language
• Violating user policy https://www.activtrak.com/acceptable-use-policy/
• Testing out-of-scope systems

Scope

The following are in scope as part of our Responsible Disclosure Program:

• The ActivTrak web application at: https://app.activtrak.com
• The Corporate web site at: https://www.activtrak.com
• The Agent downloaded from an application instance at: https://app.activtrak.com
• The Browser Extension found at: https://chrome.google.com/webstore/detail/activtrak-agent/onaoeoekeoebnkagnlhoojobfhemoldp

The following are not in scope as part of our Responsible Disclosure Program:

• Our “Create Free Account” form and all forms on www.activtrak.com
• Our Careers page on https://www.activtrak.com/careers/
• Our ActivTrak Help Center on https://support.activtrak.com/hc/en-us
• Vulnerabilities identified with automated tools (including web scanners) that do not
  include proof-of-concept code or a demonstrated exploit.
• Third-party applications, websites or services that integrate with or link to ActivTrak.
• Discovery of any in-use service (vulnerable third-party code, for example) whose running version includes known vulnerabilities without demonstrating an existing security impact.
• Findings derived primarily from social engineering (e.g., phishing, vishing).
• Functional, UI, and UX bugs and spelling mistakes.
• Network-level Denial of Service (DoS/DDoS) vulnerabilities.
• Our mail servers or MX records.

Exclusions

ActivTrak takes security seriously. Our triage, evaluation, and remediation processes are risk-driven and higher-risk vulnerabilities will take precedence.

Following is a non-exhaustive list of findings that will not be considered for reward or recognition:

General:

• Previously reported issues that are being tracked internally
• Internally tracked issues without additional impact or information
• Social engineering (Phishing, Physical attacks, Vishing, Other)
• Vulnerabilities in third-party services or sites not directly controlled by ActivTrak
• Raw scanner output without validation
• Network level denial of service
• Functional, UI, and UX bugs and spelling mistakes

Web Application/Browser Extension:

• Self-Exploitation (such as self-XSS or self-DoS)
• Vulnerabilities in third-party services or sites not directly controlled by ActivTrak
• Missing security headers without demonstrable impact
• SSL/TLS vulnerabilities without demonstrable impact
• Clickjacking on pages with no sensitive actions (no login pages)
• Open redirects to non-whitelisted domains (unless chained with other vulnerabilities)
• Version disclosure without proven vulnerability
• Descriptive error messages without sensitive data exposure
• Password complexity requirements
• Directory listings without sensitive files or data
• Public accessible login/admin panels if authentication is required
• Internal IP addresses in headers without security impact
• Content spoofing or text injection without security impact
• Logout Cross-Site Request Forgery (CSRF)
• Concurrent sessions allowed
• Username/Email enumeration during registration or login
• Cookie flags without chained vulnerabilities
• Overly permissive CORS without data exposure
• Attacks requiring deprecated browsers
• Comma Separated Values (CSV) injection
• XSS PoCs that use alert(1). Use alert(document.domain) instead

Agent:

• Outdated dependencies without demonstrable impact
• Privilege escalation issues that require administrator/root access on the operating system
• Issues that require an unsupported operating system

Email and DNS:

• SPF/DMARC/DKIM misconfigurations without proof of exploitability
• Subdomain takeover on unused/parked domains

Vulnerability Submissions

Please report any security issues you find to [email protected]. If your submission contains any sensitive vulnerability information, please encrypt it using our PGP public key at the bottom of this page.

Please follow these submission guidelines:

Subject: “Vulnerability Disclosure: VULNERABILITY TITLE”

Body:

• Name
• Company Name (if applicable)
• Vulnerability Title
• Affected System
• Reproduction Steps: Exact steps to reproduce the issue, including any associated URL and parameters demonstrating the vulnerability
• Potential Impact and Recommendation
• The relevant details of your system’s configuration, such as any browser or user-agent information and operating system version
• Your IP address and ActivTrak account, so we can coordinate your activity with your logs

Attachments: Attach to email directly. Please do not send links to storage hosting websites.

• Formats:
• Accepted:
• Plaintext (txt, csv)
• Markdown (md)
• Video (mp4)
• PDF
• Images (png, jpg)
• Rejected:
• Archive Files (zip, bz, 7z, rar, iso, tar, other)
• Office Files (docx, xlsx, other)
• Executable files (.exe, .py, .sh, other)

Reward

We may grant a nominal award after verifying that the vulnerability is reproducible, unique, and can impact our customers. Each submission will be evaluated case-by-case. The decision and amount of the reward will be at our discretion. Even if we cannot offer monetary compensation, we would be glad to publicly acknowledge your contribution in the Hall of Fame section on our website with your permission.

Thank You

We want to make sure to sincerely thank you for your disclosing responsibly and working with us to improve our security. We understand the work and talent you’ve put into finding these issues and appreciate you reaching out to us.