We take security seriously.

Security is our top priority and we proactively look for ways to improve the security of our products. Our security program is transparent so you can be confident when using our products for mission-critical projects.

Report a Vulnerability 

We welcome all contributions from our user community, developers, and security researchers to reinforce our product security. You could even be recognized in our security hall of fame for disclosing vulnerabilities responsibly! 

We strongly encourage you to report any security vulnerabilities to our private and confidential security mailing list: security@42crunch.com first, before disclosing them in any forums, blogs, sites, social media, or other groups, should they be public or private. 

If you wish to send secure messages to security@42crunch.com, you may use the following key: 

User: security@42crunch.com
Fingerprint: 68B982300B911319FFBA1F50A008A656C3CBA447

Responsible Disclosure of Vulnerabilities 

Based on the ethics of responsible disclosure, it is recommended to follow the process given below to report security vulnerabilities.  

  • If you are an independent security researcher or a community user, you must only use the security@42crunch.com mailing list.
  • If you are a 42Crunch customer, you can either mail security@42crunch.com or open a ticket at https://support.42crunch.com

Coverage

  • 42Crunch Platform and 42Crunch Firewall

Exclusions

  • docs.42crunch.com
  • support.42crunch.com

Accepted Vulnerabilities 

  • Open redirect
  • Cross-site Request Forgery (CSRF)
  • Command/File/URL inclusion
  • Code execution
  • Cross-Site Scripting (XSS)
  • Code or database injections
  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Missing Function Level Access Control
  • Insecure Direct Object References

Everything else must NOT be attempted nor reported and do not qualify for rewards

  • Account/email enumerations
  • Denial of Service (DoS)
  • Attacks that could harm the reliability/integrity of our business
  • Spam attacks
  • Clickjacking on pages without authentication and/or sensitive state changes
  • Mixed content warnings
  • Lack of DNSSEC, SPF, DKIM, DMARC
  • Content spoofing/text injection
  • Timing attacks
  • Social engineering
  • Phishing
  • Insecure cookies for non-sensitive cookies or 3rd party cookies
  • Vulnerabilities requiring exceedingly unlikely user interaction
  • Exploits that require physical access to a user's machine
  • Logout Cross-site Request Forgery (CSRF)
  • Missing CSRF token in login forms
  • Cross domain referer leakage
  • Missing HttpOnly flag
  • SSL/TLS related issues
  • Missing X-Frame-Options or X-Content-Type-Options HTTP headers