Responsible Vulnerability Disclosure Program

About this program

Here at InvGate, we are committed to protecting our customers and their data. As part of our overall security strategy, InvGate welcomes the contributions of external security researchers who find vulnerabilities to help us improve the security posture of our systems and customers. If you've discovered a security issue you believe Invgate should be aware of, we would love to work with you. InvGate recognizes and celebrates those who contribute valuable and impactful findings via the product’s changelogs - researchers can choose whether or not their contributions to InvGate’s security are public. Our program applies to vulnerabilities found in our in-scope systems and products outlined below. By working with us collaboratively and confidentially, you will be acknowledged for your valid findings.

Program Rules

The following testing approaches and attacks are not scoped as part of this program:

Data exfiltration as a direct result of software vulnerabilities; if such vulnerability is found, researchers must contact the InvGate’s InfoSec team before exploiting it and await instructions. Unauthorized data exfiltration prior to discussing a procedure with InvGate’s InfoSec team will constitute terms for legal actions.
Distributed or general Denial of Service attacks, though rate limiting and throttling findings might be accepted depending on circumstances and technical details of the finding itself.
Phishing, smishing, vishing to InvGate employees.
Attempting to obtain information from other user accounts. If you believe you've found an issue that may result in compromising the data or session of another user account, you must test against your own testing accounts and not against any InvGate customer environment, and notify us immediately.
Using automation to brute force login credentials.
Manually or using automation to scrape large sections of this site to enumerate user IDs, usernames, emails, or other user/employee information.
Reports around lack of security best practices such as HSTS headers, CSP, CORS without actual exploitation evidence.

Testing Account Rules

Prior to performing testing on the site, you must observe and agree to the following rules:

Attempts to gather information from an account other than the account being used should be limited to accounts you control. You may not at any time attempt to gather information from an account you do not directly own. If you want to test gathering information or escalating to another user, please create one demo account for each of these purposes.
For all requests, please use the header X-InvGate-VulnerabilityResearcher:(e-mail address) to clearly indicate your account is RVDP-related. This helps us troubleshoot possible issues resulting from the testing you are performing.

Safe Harbor

1. Safe Harbor Terms

To encourage security research and responsible disclosure of security-related vulnerabilities, hereby InvGate states that will not pursue civil or criminal action nor send notice to law enforcement forces for accidental or good faith violations of InvGate's Responsible Vulnerability Disclosure Program's Terms and Conditions ("the RVDP policy"). Given that InvGate has an international presence, the following countries' legislation may apply: United States of America, Argentina and the European Union.

1.A.InvGate considers security research and vulnerability disclosure activities that are conducted consistently with the RVDP policy to be “authorized” under the Argentinian Criminal Code, as well as DMCA (for the company infrastructure's geographical location, the United States of America) and any other applicable computer use laws. Unless specific cases arise (for which the researcher shall be promptly notified beforehand), InvGate waives any potential legal claims against researcher(s) for circumventing the technological measures in place to protect the product scoped in our RVDP policy.

1.B.If a researcher's finding(s) involve InvGate's networks, systems, information, applications, products or services of a third-party (which is not InvGate), InvGate cannot bind that third-party to InvGate's waiver, and they may pursue legal action or law enforcement notice. InvGate cannot and shall not authorize security research in the name of other external entities, and cannot in any way offer to defend, indemnify, or otherwise protect researcher(s) from any third-party action based on your actions. In this case, it is recommended to send the vulnerability to that third-party's RVDP, RVDP or security disclosure program; researchers shall copy rvdp@invgate.com on the report only in case there's an InvGate-owned component within the submitted research.

1.C.You are expected, as always, to comply with all laws applicable to you (comprising your nationality and geographical location at the time of performing the research), and not to disrupt, distribute, publish or compromise any data, infrastructure or business continuity beyond what our RVDP policy allows.

1.D.Researchers must contact InvGate before engaging in conduct that may be inconsistent, non-compliant or unaddressed by the RVDP policy. InvGate reserves all rights to make the determination of whether a violation of this policy is accidental or in good faith. Researchers proactively contacting us before engaging in any action is a significant factor in that decision.

2. Third-Party Safe Harbor

If you submit a report through our RVDP program which affects a third-party service that InvGate employs or does not employ, by default InvGate will limit the shared information with any affected third-party. InvGate may share non-identifying content from a researcher's report with an affected third-party, only after notifying the researcher(s) our intention to submit the content, and after getting the third-party's written commitment that they will not pursue legal action against researchers or initiate contact with law enforcement based on either our report or the researchers'. InvGate will not share your identifying information with any affected third-party without first getting your written permission to do so, in compliance with GDPR and local Argentinian and US laws.

2.A. InvGate does not authorize out-of-scope testing on behalf of third parties, and such testing is beyond the scope of our policy. InvGate forbids the research of third-party products, services, infrastructure et al performed through the unlawful and non-compliant use of any of InvGate's products, services, infrastructure. Moreover, InvGate forbids using any authentication artifact (included but not limited to passwords, API tokens and credentials) that is found, leaked, or obtained as a result of either RVDP-compliant or non-RVDP-compliant research performed targeting InvGate's products, services, infrastructure and any other asset owned by InvGate, to perform security and vulnerability research on the affected third-party.

As an example, if an API token created and used by InvGate targeting a particular third-party is found as a result of research within InvGate's RVDP scope, said API token must not be used to perform security vulnerability research on the third-party's products, services or infrastructure. Legal action may be initiated, should the researcher fail to comply with this.

2.B. Researchers must refer to that third-party's RVDP or bug bounty policy, if they have one, or contact the third-party either directly or through a legal representative before initiating any testing on that third-party or their services. This is not, and must not be understood as, any agreement on InvGate's part to defend, indemnify, or otherwise protect researcher(s) from any third-party action based on your actions.

2.C. In the case a legal action is initiated by a third-party, including law enforcement, against researcher(s) because of their participation in this RVDP, and researcher(s) have sufficiently complied with our RVDP policy (as in, have not made intentional or bad faith violations), InvGate will take steps to acknowledge the compliance of a researcher's actions within InvGate's RVDP policy. While InvGate considers submitted reports both confidential and potentially privileged documents, thus protected from compelled disclosure in most circumstances, researchers must be aware that a court could, despite our objections, order us to share information with a third-party to any degree.

2.D. InvGate reserves the right to authorize public writeups and other publication formats of found vulnerabilities by the researcher(s) who found them, to preserve confidentiality on critical assets, should they apply. Researchers must ask for authorization first, and an internal review process will approve or reject the researcher’s request in no more than 10 business days.

3. Limited Waiver of Other Site Policies

To the extent that an individual's security research activities are inconsistent with certain restrictions in our relevant site policies but at the same time are consistent with the terms of our RVDP program, InvGate temporarily waives those restrictions for the sole and limited purposes of permitting your security research under this RVDP program prior to an internal review with InvGate's Legal department.

Submission Recognition Rules

InvGate reserves the right to recognize you for the findings you've submitted to us. As part of this agreement, you agree not to disclose an issue before a remediation is deployed and to obtain prior authorization before any disclosure. Failure to adhere to these rules may result in a ban from this program or other actions.

How to Submit Your Report

All reports should be directed to rvdp@invgate.com. Please state the following data on your e-mail:

Your full name or pseudonym (mandatory)
Whether or not you want to be publicly acknowledged on our product’s changelogs
Github/LinkedIn/Mastodon/X profile (optional)

To ensure that InvGate can properly review and validate your findings, please adhere to the following guidelines for your submission:

Description: Provide a clear description of your finding.
Reproduction Steps: Include detailed steps to reproduce the issue.
Account Information: If applicable, provide the account name used for testing. This helps us verify account-specific states and troubleshoot the issue, including the user role type (e.g., user, manager, admin).
Impact Description: Describe the impact on our environment, customers, data, or employees.
Evidence: Include screenshots, videos, log files or proof of concept code to help us reproduce the issue
Browser Details: Specify the web browser version or 'User-Agent' used during testing, as this can affect the endpoint or workflow.
Software and OS: When applicable, list the software versions and operating systems impacted.

Public Recognition Eligibility

The researcher agrees to the rules, terms, and conditions set forth in this document.
The researcher is not a current InvGate employee, nor have they been an employee within six months prior to submitting a report.
The researcher must be the first person to report this issue.
The researcher will not attempt to access personal information belonging to another user, including by exploiting a vulnerability.
The researcher will not perform attacks or security testing against vendors, partners, or third parties that may be in use

Scope

This section lists the assets, websites, products, and services that are considered in-scope and out-of-scope. This list is subject to change without notice and should be reviewed prior to submitting a finding. Anything not listed here is considered out of scope.

In-scope assets

*.invgate.com (hosts and DNS records)
*.invgate.net (hosts and DNS records)
Public APIs
InvGate Service ManagementInvGate Asset Management
InvGate Asset Management (IGAM) agent
WindowsLinuxmacOSiOSAndroid
Mobile application (iOS)
InvGate Service Management

Out-of-scope vulnerabilities

TRACE, TRACK, or OPTIONS HTTP methods being enabled.
Non-exploitable clickjacking findings such as pages missing X-Frame-Options (unless exploitation is proven).
Logical bugs that represent no immediate or exploitable security risk.
Cross-site request forgery reports of features with behavior similar to CSRFs (e.g. webhooks).
Denial of Service attacks/weaknesses.
Generic best practice concerns without demonstrable exploitation.
Credential stuffing and account takeover over phishing and other means external to InvGate products.
Spam or social engineering methods.
Password complexity-related concerns.
Mobile application crashes that don’t lead to a security escalation issue or abuse.
Vulnerabilities requiring jailbroken devices or physical access to an unlocked device to exploit.

If you believe you've found an issue that affects an asset belonging to us but isn't included in the scope here, please contact us.

Severity Score

The chart below is based on Mitre’s Common Vulnerability Scoring System (CVSS) v3.1.

Severity	Score	Example issues
Critical	9.0-10.0	PII disclosure, remote command execution, SQL Injection, code injection, total authorization or authentication bypass, escalation from unprivileged or semi-privileged accounts to admin/root
High	7.0-8.9	Cross site scripting, SSRF, partial authorization or authentication bypass.
Medium	4.0-6.9	Directory traversal, cross-site request forgery, missing secure cookie flags on session cookies.
Low	1.0-3.9	Minor information disclosure, missing HTTPOnly cookie flags, etc.