Effective as of June 16, 2021
Introduction
Datasite, the cloud-based SaaS platform, is committed to securing our products, services and maintaining the trust of our customers. This policy prescribes how security researchers must conduct vulnerability discovery activities and submit discovered those vulnerabilities responsibly to Datasite. With our SaaS based platform, no patching is required to apply remediations to vulnerabilities, thus we will work directly with the researchers to confirm and validate that fixes have been applied and no longer exist. For our mobile applications, we will publicly mention any security fix in the application release notes.
You Should
We encourage you to contact us to report potential vulnerabilities in our systems. Thank you in advance for your submission and discretion, we appreciate researchers assisting us in our security efforts.
Authorization
In consideration for complying with this policy, Datasite authorizes you to conduct security research. We will work with you to understand and resolve the issue quickly, and will not recommend or pursue legal action related to your research nor support any third-party legal action brought against, unless required by law, for activities that were conducted in accordance with this policy.
Guidelines
Under this policy, “research” means activities in which you:
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must cease your test, notify us immediately, and not disclose this data to anyone else.
You agree that you will keep information related to the vulnerability confidential and will not disclose the vulnerability to any third-party unless Datasite has provided you with written authorization to do so even if you decide not to report it. By submitting your vulnerability, you hereby grant Datasite the right to use, create derivatives of, disclose, or modify any information that you have provided.
Scope
This policy applies to the following systems and services:
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us using the form below before starting your research.
While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:
Reporting a Vulnerability
Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. We will not share your name or contact information without your express permission.
Submitting your vulnerability constitutes acceptance of this Vulnerability Disclosure Policy. Therefore, first, you should review this Vulnerability Disclosure Policy. Then submit the vulnerability using the Official Communication Channels. If you share contact information, we will acknowledge receipt of your report within 3 business days.
Upon receipt of the report, we will review and investigate the vulnerability without undue delay. We shall make every effort to notify you when this investigation starts. We use CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. If we determine that vulnerability requires remediation, we will start remediating the vulnerability as soon as practicable.
Official Communication Channels
Vulnerability reports should be submitted by contacting our team at [email protected] or using the form below.
We do not support PGP-encrypted emails. For particularly sensitive information, reach out directly via the email address provided and ask for a meeting to be setup to discuss.
What we would like to see from you
In order to help us triage and prioritize submissions, we recommend that your reports:
What you can expect from us
When you choose to share your contact information with us, we shall make every effort to coordinate with you quickly and openly.
Safe Harbor
When conducting vulnerability research in compliance this policy and applicable laws, we consider this research to be:
If at any time you have questions or concerns or you are uncertain whether your security research is consistent with this policy, please submit a report through our Official Channels before going any further.