1. Purpose
PROS is committed to maintaining the highest standards of security for our software products and services. This
External Vulnerability Disclosure Policy outlines how security researchers, ethical hackers, and external parties can
responsibly report vulnerabilities they discover in our systems, ensuring the safety and integrity of our products and
the trust of our users.
2. Scope
This policy applies to all external parties (researchers, ethical hackers, and other stakeholders) who identify and
report vulnerabilities in PROS software products, services, websites, and related infrastructure. It covers all forms of
vulnerabilities, including but not limited to:
- Software applications (web, mobile, desktop)
- APIs and web services
- Cloud infrastructure
- Network services
- Documentation and public-facing resources
Excluded: This policy does not apply to vulnerabilities discovered in internal systems or any non-publicly accessible
systems unless explicitly authorized by PROS.
3. Definitions
- Vulnerability: A weakness in the system that can be exploited to compromise the confidentiality, integrity, or
availability of the system or its data.
- Responsible Disclosure: The practice of privately reporting security vulnerabilities to the affected
organization, allowing them time to address the issue before public disclosure.
- Safe Harbor: Legal protections provided to individuals who report vulnerabilities in good faith, preventing
legal action by PROS as long as the reporting adheres to the policy.
4. Policy Statements
4.1. Encouragement of Responsible Disclosure
PROS encourages security researchers and external parties to report vulnerabilities responsibly. We value the
contributions of the security community in enhancing the security of our products and services.
4.2. Legal Safe Harbor
To protect individuals who report vulnerabilities in good faith, PROS offers safe harbor provisions. PROS will not initiate legal action against them as long as the
reporter:
- Engages in responsible and ethical behavior.
- Does not perform unauthorized testing or actions beyond what is necessary to discover the vulnerability.
- Adheres to the guidelines outlined in this policy.
4.3. No Authorization to Access
This policy does not grant permission to conduct security testing or access systems beyond what is necessary to
identify and report the vulnerability. Unauthorized access or testing may violate applicable laws.
5. Reporting Process
5.1. How to Report a Vulnerability
Vulnerabilities can be reported through the following channels:
5.2. Required Information
When reporting a vulnerability, please include the following information to facilitate timely assessment and
remediation:
- Contact Information: Your name, email address, and any other relevant contact details.
- Description: A clear and detailed description of the vulnerability.
- Impact: Potential impact and severity of the vulnerability.
- Reproduction Steps: Step-by-step instructions to reproduce the vulnerability.
- Proof of Concept: Any code snippets, screenshots, or other evidence demonstrating the vulnerability.
- Affected Systems: Specific products, services, or versions affected.
6. Response and Acknowledgment
6.1. Initial Acknowledgment
Upon receiving a vulnerability report, PROS will acknowledge receipt within 5 business days. The
acknowledgment will include:
- Confirmation that the report has been received.
- A reference number for tracking.
- An estimated timeline for further communication.
6.2. Assessment and Remediation
PROS will:
- Assess the validity and severity of the reported vulnerability.
- Prioritize remediation based on the impact and risk.
6.3. Final Communication
Once the vulnerability has been addressed, PROS will:
- Inform the reporter that it has been resolved.
- Coordinate public disclosure (if applicable) in a mutually agreed timeframe.
7. Recognition and Rewards
PROS does NOT offer financial compensation for vulnerabilities. PROS does offer a Certificate of Recognition for all valid vulnerability reports.
8. Responsible Disclosure Guidelines
To ensure responsible disclosure, reporters should adhere to the following guidelines:
- Do Not Exploit: Do not exploit the vulnerability beyond what is necessary to demonstrate its existence.
- Do Not Disclose Publicly: Refrain from publicly disclosing the vulnerability until the Company has had
sufficient time to address it.
- Respect Privacy: Avoid accessing or exposing any user data or private information.
- Minimal Impact Testing: Conduct testing in a manner that does not disrupt services or affect other users.
9. Compliance and Legal Considerations
- Applicable Laws: Reporters must comply with all applicable local, national, and international laws when
testing and reporting vulnerabilities.
- Privacy: PROS respects the privacy of all individuals and commits to protecting personal data.
10. Contact Information
For any questions or further assistance regarding this policy, please contact:
Thank you for helping us maintain the security and integrity of PROS products and services. Your contributions are
highly valued and appreciated.