Vulnerability Disclosure Policy

INTRODUCTION

Qoria believes in providing the ability for good-faith security researchers to report security vulnerabilities that they find. We believe that a relationship of trust and respect can allow researchers to assist us in protecting the data of our customers as well as the confidentiality, integrity and availability of our products, services and systems. We believe that no system is perfect and want to help researchers report findings to protect those that trust us with their data and protection. Your participation in our Vulnerability Disclosure Policy program is voluntary. By submitting a report or otherwise disclosing a vulnerability to us, you are indicating that you have read and agree to follow the rules set forth on this page.

 

TARGET AUDIENCE

Qoria accepts good faith reports of security vulnerability findings from any source including, but not limited to, cyber security researchers and our customers.

 

SEVERITY ASSESSMENT, PRIORITIZATION & RESPONSE

Any vulnerabilities reported to Qoria will be assessed for severity using the CVSS (Common Vulnerability Severity Scoring) framework. This severity assessment combined with contextual assessments forms the priority of a vulnerability.

All legitimate vulnerabilities reported via this form will be triaged, mitigated, remediated or accepted according to internally defined and agreed processes that govern the effective handling of vulnerabilities discovered within our environments.

Qoria will respond to any legitimate reports which are received via this form and will work with researchers to help maintain the privacy and safety of our customers.

 

DISCLOSURE POLICY

When conducting vulnerability research according to this policy, we consider this research to be:
  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

Please do not discuss any vulnerabilities (even resolved ones) outside of the program without consent from the Qoria Security team unless they are made public.

We appreciate your help and promise to treat you as a friend and ally as long as you act in good faith.

If you have any concerns or questions about this safe harbour policy, please contact our security team directly (You can find our contact details in our RFC9116 compliant security.txt file).

 

PROGRAM RULES

  • Please provide detailed reports with reproducible steps.
  • Do not access, impact, destroy or otherwise negatively impact Qorias customers, or customer data in any way.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. Respect our users’ privacy.
  • If, during your testing, you gain access to another user’s data, immediately discontinue testing and notify us. No data belonging to another user should be extracted or shared.
  • No extortion, shakedowns, or duress.
  • Don’t leave any system in a more vulnerable state than you found it.
  • Be respectful when interacting on reports with our team.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When a vulnerability consists of different parameters but has the same API endpoint please group this together in the same report.
  • When a vulnerability occurs to a third-party integration (such as Zendesk, etc) we will treat all reports as a single report.
  • Social Engineering is not allowed.
  • Do not exceed the defined scope of this policy when performing testing, testing is strictly only permitted within the scope defined on this page.

 

SCOPE

Product

Link

Qustodio

*.qustodio.com

School Manager and Classwize

*.familyzone.io

Smoothwall Firewall

N/A

Record Manager

app.safeguard.software

CipaFilter

*.cipafilter.com

Net-Ref

Testdistrict05.net-ref.com

login.net-ref.com

speedtest.net-ref.com

Educator Impact

*.educatorimpact.com

Family Zone

*.familyzone.com

Qoria

*.qoria.com

 

OUT OF SCOPE

  • *.cybersafetyhub.*
  • Denial of service or degradation of our production services
  • Social engineering of customers or employees (ie. via phishing, vishing or smishing)

 

FOCUS AREAS

  • Broken access control
  • Privilege escalation
  • Proof of concept access to sensitive information
  • Remote code execution
  • XSS resulting in access to sensitive data (e.g. session info)
  • SQL injection resulting in access to sensitive data or functionality
  • Broken authentication
  • Indirect Object References
  • Business logic flaws that result in access to sensitive data or functionality

SUBMISSION FORM