vulnerability
disclosure policy
Azure Printed Homes thanks you for helping us keep users of azureprintedhomes.com safe by protecting their information from unwarranted disclosure.
This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered – as set out in this policy – so we can fix them and keep our users safe. We have developed this policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith.
We ask that all researchers:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Perform research only within the scope set out below;
- Use the identified communication channels to report vulnerability information to us;
- Report vulnerabilities as soon as you discover them;
- Do not solicit paid services or ask for monetary reward at any point in communicating with Azure Printed Homes;
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Azure Printed Homes until we’ve had 90 days to resolve the issue.
If you follow these guidelines during your security research, we will consider your research to be authorized, and we further commit to:
- Not recommend or pursue legal action related to your research;
- Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission).
Scope
In-scope
This policy applies only to https://azureprintedhomes.com
Out of Scope
In the interest of the safety of our users, staff, the Internet at large, and you as a security researcher, the following test types are excluded from scope:
- Findings from physical testing such as office access (e.g. open doors, tailgating).
- Findings derived primarily from social engineering (e.g. phishing, vishing).
- Findings from applications or systems not listed in the Scope section.
- Vulnerability reports with video only PoCs.
- Reports that state that software is out of date or vulnerable without a proof of concept.
- Highly speculative reports about theoretical damage. Be concrete.
- Vulnerabilities as reported by automated tools without additional analysis as to how they’re an issue.
- Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.
- Recently disclosed zero-day vulnerabilities. We need time to patch our systems just like everyone else – please give us 30 days before reporting these types of issues.
- Issues in third-party services should be reported to the respective team. Please take a look at the “Third-Party Services” section for more information.
The following issue types are excluded from scope:
- Network-level Denial of Service (DoS/DDoS) vulnerabilities.
- Low-severity issues that can be detected with tools such as Hardenize and Security Headers.
- XSS issues that affect only outdated browsers.
- Content injection issues.
- Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.).
- Missing cookie flags on non-security-sensitive cookies.
- UI and UX bugs (including spelling mistakes).
- CSV and Excel injection.
- 401 page injection.
- Stack traces that disclose information.
- Host header issues without an accompanying proof-of-concept demonstrating vulnerability.
- Open ports without an accompanying proof-of-concept demonstrating vulnerability.
- Banner grabbing issues (figuring out what web server we use, etc.).
Reporting
If you believe you’ve found a security vulnerability in one of our products or platforms, please send it to us at:
Please provide detailed reports with reproducible steps.
Rewards
At the present time, we do not offer rewards, monetary or otherwise, nor does our reporting policy constitute a “bug bounty program” for any disclosures.
Any submissions are voluntary, and any time spent researching our site is completely at the researcher’s discretion, and in no way constitutes “work” or an obligation for Azure Printed Homes to pay.
Our policy is intended for responsible disclosures only, and does not constitute an invitation to perform a service. This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause Azure Printed Homes to be in breach of any legal obligations.
For the removal of doubt, any pressure or coercion to pay any monetary amount, on the basis of disclosing or exploiting a vulnerability, may amount to a criminal offense. Azure Printed Homes may refer such cases to local and federal law enforcement.
Third-Party Services
Azure Printed Homes uses a number of third-party services for web hosting, analytics tracking, and customer relationship management. If you discover an issue in one of these services, please report it to the appropriate security team at their company, not to Azure Printed Homes.
Vulnerability
disclosure policy
Azure Printed Homes thanks you for helping us keep users of azureprintedhomes.com safe by protecting their information from unwarranted disclosure.
This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered – as set out in this policy – so we can fix them and keep our users safe. We have developed this policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith.
We ask that all researchers:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Perform research only within the scope set out below;
- Use the identified communication channels to report vulnerability information to us;
- Report vulnerabilities as soon as you discover them;
- Do not solicit paid services or ask for monetary reward at any point in communicating with Azure Printed Homes;
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Azure Printed Homes until we’ve had 90 days to resolve the issue.
If you follow these guidelines during your security research, we will consider your research to be authorized, and we further commit to:
- Not recommend or pursue legal action related to your research;
- Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission).
Scope
In-scope
This policy applies only to https://azureprintedhomes.com
Out of Scope
In the interest of the safety of our users, staff, the Internet at large, and you as a security researcher, the following test types are excluded from scope:
- Findings from physical testing such as office access (e.g. open doors, tailgating).
- Findings derived primarily from social engineering (e.g. phishing, vishing).
- Findings from applications or systems not listed in the Scope section.
- Vulnerability reports with video only PoCs.
- Reports that state that software is out of date or vulnerable without a proof of concept.
- Highly speculative reports about theoretical damage. Be concrete.
- Vulnerabilities as reported by automated tools without additional analysis as to how they’re an issue.
- Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.
- Recently disclosed zero-day vulnerabilities. We need time to patch our systems just like everyone else – please give us 30 days before reporting these types of issues.
- Issues in third-party services should be reported to the respective team. Please take a look at the “Third-Party Services” section for more information.
The following issue types are excluded from scope:
- Network-level Denial of Service (DoS/DDoS) vulnerabilities.
- Low-severity issues that can be detected with tools such as Hardenize and Security Headers.
- XSS issues that affect only outdated browsers.
- Content injection issues.
- Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.).
- Missing cookie flags on non-security-sensitive cookies.
- UI and UX bugs (including spelling mistakes).
- CSV and Excel injection.
- 401 page injection.
- Stack traces that disclose information.
- Host header issues without an accompanying proof-of-concept demonstrating vulnerability.
- Open ports without an accompanying proof-of-concept demonstrating vulnerability.
- Banner grabbing issues (figuring out what web server we use, etc.).
Reporting
If you believe you’ve found a security vulnerability in one of our products or platforms, please send it to us at:
Please provide detailed reports with reproducible steps.
Rewards
At the present time, we do not offer rewards, monetary or otherwise, nor does our reporting policy constitute a “bug bounty program” for any disclosures.
Any submissions are voluntary, and any time spent researching our site is completely at the researcher’s discretion, and in no way constitutes “work” or an obligation for Azure Printed Homes to pay.
Our policy is intended for responsible disclosures only, and does not constitute an invitation to perform a service. This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause Azure Printed Homes to be in breach of any legal obligations.
For the removal of doubt, any pressure or coercion to pay any monetary amount, on the basis of disclosing or exploiting a vulnerability, may amount to a criminal offense. Azure Printed Homes may refer such cases to local and federal law enforcement.
Third-Party Services
Azure Printed Homes uses a number of third-party services for web hosting, analytics tracking, and customer relationship management. If you discover an issue in one of these services, please report it to the appropriate security team at their company, not to Azure Printed Homes.