Confiance et sécurité

External Vulnerability Disclosure Policy

Table des matières

1. Purpose

PROS is committed to maintaining the highest standards of security for our software products and services. This External Vulnerability Disclosure Policy outlines how security researchers, ethical hackers, and external parties can responsibly report vulnerabilities they discover in our systems, ensuring the safety and integrity of our products and the trust of our users.

2. Scope

This policy applies to all external parties (researchers, ethical hackers, and other stakeholders) who identify and report vulnerabilities in PROS software products, services, websites, and related infrastructure. It covers all forms of vulnerabilities, including but not limited to:
  • Software applications (web, mobile, desktop)
  • APIs and web services
  • Cloud infrastructure
  • Network services
  • Documentation and public-facing resources
Excluded: This policy does not apply to vulnerabilities discovered in internal systems or any non-publicly accessible systems unless explicitly authorized by PROS.

3. Definitions

  • Vulnerability: A weakness in the system that can be exploited to compromise the confidentiality, integrity, or availability of the system or its data.
  • Responsible Disclosure: The practice of privately reporting security vulnerabilities to the affected organization, allowing them time to address the issue before public disclosure.
  • Safe Harbor: Legal protections provided to individuals who report vulnerabilities in good faith, preventing legal action by PROS as long as the reporting adheres to the policy.

4. Policy Statements

4.1. Encouragement of Responsible Disclosure

PROS encourages security researchers and external parties to report vulnerabilities responsibly. We value the contributions of the security community in enhancing the security of our products and services.

4.2. Legal Safe Harbor

To protect individuals who report vulnerabilities in good faith, PROS offers safe harbor provisions. PROS will not initiate legal action against them as long as the reporter:
  • Engages in responsible and ethical behavior.
  • Does not perform unauthorized testing or actions beyond what is necessary to discover the vulnerability.
  • Adheres to the guidelines outlined in this policy.

4.3. No Authorization to Access

This policy does not grant permission to conduct security testing or access systems beyond what is necessary to identify and report the vulnerability. Unauthorized access or testing may violate applicable laws.

5. Reporting Process

5.1. How to Report a Vulnerability

Vulnerabilities can be reported through the following channels:

5.2. Required Information

When reporting a vulnerability, please include the following information to facilitate timely assessment and remediation:
  • Contact Information: Your name, email address, and any other relevant contact details.
  • Description: A clear and detailed description of the vulnerability.
  • Impact: Potential impact and severity of the vulnerability.
  • Reproduction Steps: Step-by-step instructions to reproduce the vulnerability.
  • Proof of Concept: Any code snippets, screenshots, or other evidence demonstrating the vulnerability.
  • Affected Systems: Specific products, services, or versions affected.

6. Response and Acknowledgment

6.1. Initial Acknowledgment

Upon receiving a vulnerability report, PROS will acknowledge receipt within 5 business days. The acknowledgment will include:
  • Confirmation that the report has been received.
  • A reference number for tracking.
  • An estimated timeline for further communication.

6.2. Assessment and Remediation

PROS will:
  • Assess the validity and severity of the reported vulnerability.
  • Prioritize remediation based on the impact and risk.

6.3. Final Communication

Once the vulnerability has been addressed, PROS will:
  • Inform the reporter that it has been resolved.
  • Coordinate public disclosure (if applicable) in a mutually agreed timeframe.

7. Recognition and Rewards

PROS does NOT offer financial compensation for vulnerabilities. PROS does offer a Certificate of Recognition for all valid vulnerability reports.

8. Responsible Disclosure Guidelines

To ensure responsible disclosure, reporters should adhere to the following guidelines:
  • Do Not Exploit: Do not exploit the vulnerability beyond what is necessary to demonstrate its existence.
  • Do Not Disclose Publicly: Refrain from publicly disclosing the vulnerability until the Company has had sufficient time to address it.
  • Respect Privacy: Avoid accessing or exposing any user data or private information.
  • Minimal Impact Testing: Conduct testing in a manner that does not disrupt services or affect other users.

9. Compliance and Legal Considerations

  • Applicable Laws: Reporters must comply with all applicable local, national, and international laws when testing and reporting vulnerabilities.
  • Privacy: PROS respects the privacy of all individuals and commits to protecting personal data.

10. Contact Information

For any questions or further assistance regarding this policy, please contact:

Thank you for helping us maintain the security and integrity of PROS products and services. Your contributions are highly valued and appreciated.