Vulnerability Disclosure Program
Intrado's Vulnerability Disclosure Policy
Out of Scope:
- Banner/version disclosure
- Insecure SSL or TLS issues (e.g., ciphers, certificates, etc.)
- Security headers suggestions (e.g., HTTP Strict-Transport-Security (HSTS), Content Security Policy (CSP), etc.)
- SPF / DMARC / DKIM / DNSSEC suggestions
- Host header injections unless you can show how they can lead to stealing data
- Content spoofing or text injection
- Insecure cookie settings for non-sensitive cookies
- Use of a known-vulnerable library without evidence of exploitability
- Reports from automated tools or scans without accompanying demonstration of exploitability
- Software version disclosure without accompanying demonstration of exploitability
- Direct testing of 3rd parties
- Disruptive testing, including:
- DoS / DDoS attacks
- TDoS attacks
- Social engineering-based attacks (i.e., phishing, spam, vishing, etc.)
- Attacks via user devices