Responsible Disclosure Program

Introduction

This program and its guidelines are designed to provide a standardized process for anyone reporting vulnerabilities related to applications and services provided by Consensus Cloud Solutions, Inc., on behalf of itself and its subsidiaries, and its collective portfolio of brands (the “Organization”).

We are committed to maintaining the security of our systems and the confidential or proprietary information of our employees and customers. We value those who take the time and effort to responsibly report security vulnerabilities according to the guidance in this document. Doing so makes our products and our customers safer.

If you believe you have found a security vulnerability in any of the Organization’s applications or services, please notify us in accordance with this program. We will work with you to confirm and resolve the issue promptly. At this time we do not operate a public bug bounty program and we do not offer monetary rewards or compensation in exchange for vulnerability disclosures.

Guidelines

While researching and reporting a vulnerability, we must refrain from:

• Breaking any applicable laws, rules, or regulations including any security and privacy rules issued by the Organization or any local, state, or federal government body.
• Attempting any form of Denial of Service (DoS or DDoS); i.e., overwhelming a service with a high volume of requests, or resource exhaustion attacks.
• Using high-intensity, invasive, or destructive scanning tools to find vulnerabilities.
• Spamming the Organization’s email systems or online forms.
• Modifying any data in the Organization’s systems or services.
• Phishing (social engineering) the Organization’s employees or contractors.
• Conducting attacks against the Organization’s physical properties or data centers.
• Demanding financial compensation in order to disclose any vulnerabilities.

Please be aware that disclosures regarding non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice” (for example missing security headers), will be accepted, however, they will generally be considered a lower priority and may not receive a response.

Out-of-Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) the attack scenario / exploitability, and (2) the security impact.

The following issues are considered out-of-scope:

• Clickjacking on pages with no sensitive actions.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
• Attacks requiring MITM or physical access to a user’s device.
• Previously known vulnerable libraries without a working Proof of Concept (POC).
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector and/or without being able to modify HTML/CSS.
• Rate limiting or brute-force issues on non-authentication endpoints.
• Missing best practices in a Content Security Policy.
• Missing HTTPOnly or Secure Flags on cookies.
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers (Less than two stable versions behind the latest released stable version).
• Software version disclosure, banner identification issues, descriptive error messages, or headers (e.g. stack traces, application or server errors).
• Tabnabbing.
• Open redirect, unless an additional security impact can be demonstrated.

Procedure for Reporting

If you believe you have discovered a potential vulnerability, please send a report to responsible[dot]disclosure[at]consensus[dot]com. We will acknowledge your email within five business days. Please provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third-party. We aim to resolve critical issues within one week of disclosure.

It is important to make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Organization’s services.

As part of your report, please include the following details:

• The location of the vulnerability (or the endpoint or URL with the vulnerability), which may require the software product name, version, and platform, or the website address where the vulnerability can be observed.
• A brief description of the type of vulnerability, for example; “XSS vulnerability on <domain name>”.
• Steps to reproduce the vulnerability. These should be a benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities.

Procedure for Reporting

The Responsible Disclosure Program applies to the following systems and services:

• https://consensus.com/
• https://efax.com/
• https://efaxcorporate.com/
• https://efaxdeveloper.com
• https://fax.com
• https://jsign.com
• https://metrofax.com
• https://myfax.com
• https://app.sfaxme.com/
• https://www.scrypt.com/

Changes to the Program

The Organization may revise this program from time-to-time. The most current version of the program is posted at https://consensus.com/security.[1] 

Contact

Consensus is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at responsible[dot]disclosure[at]consensus[dot]com.