Aprimo Vulnerability Disclosure Policy

Submission Process: If you discover a vulnerability, promptly submit the details through the designated email address specified for this purpose. Vulnerability@Aprimo.com.

Guidelines for Responsible Disclosure: Any and all action taken pursuant to this Policy must adhere to the following scope and guidelines:

• Conduct research without disrupting systems (load testing is not permitted), violating privacy, or degrading user experience.
• Use the designated communication channel: Vulnerability@Aprimo.com.
• Do not report security vulnerabilities to Aprimo’s partners, clients, employees, or alternative email addresses. The information and data processed in Aprimo’s systems are strictly confidential.
• Include Aprimo’s APIs on partner and customer websites within the responsible disclosure program.
• Do not conduct DDoS attacks; refrain from testing the website against such attacks. Such attacks are strictly prohibited.
• Do not disclose information about vulnerabilities publicly. Vulnerabilities may only be reported to Aprimo.
• Do not publish screenshots, videos, or any sensitive information on external websites.
• Do not use the intellectual property of Aprimo or any third party in an unauthorized manner.
• Violation of the Policy may result in legal actions against you.

Considerations for Participation: When reporting vulnerabilities, always consider the attack scenario, exploitability, and security impact. The following issues are considered out of scope:

• Clickjacking on pages without sensitive actions
• UI/UX bugs and spelling mistakes
• CSRF on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user’s device.
• Known vulnerable libraries without a working Proof of Concept
• CSV injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration
• Activities leading to service disruption (DoS)
• Content spoofing and text injection without showing an attack vector/modifying HTML/CSS
• Rate limiting or brute-force issues on non-authentication endpoints.
• Missing best practices in Content Security Policy
• HTTP-only or Secure flags on cookies
• Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records)
• Vulnerabilities affecting users of outdated browsers.
• Software version disclosure/banner identification issues
• Public Zero-day vulnerabilities with an official patch less than 1 month old, case by case
• Tabnabbing
• Open redirect, unless an additional security impact is demonstrated.
• Issues requiring unlikely user interaction.
• Vulnerabilities relying heavily on social engineering.
• Username enumeration
• Vulnerabilities relying on the existence of plugins.
• Missing security headers/attributes (e.g., “content-type-options,” “X-XSS-Protection”)
• CAPTCHAs missing as a security protection mechanism.
• Use of a known-vulnerable library without proof of exploitability
• Vulnerabilities in third-party software, libraries, and code
• Self-type Cross-Site Scripting (Self-XSS)
• Cache Poisoning
• Vulnerabilities on third party-hosted sites unless they lead to a vulnerability on the main website.

Scope:

• *. Aprimo.us
• Other domains owned by Aprimo.

Safe Harbor: Conducting activities in accordance with this Policy will be considered authorized, and Aprimo will not initiate legal action against you. In the event this Policy has been breached, Aprimo may take legal action against you and participants involved. If a third party initiates legal action against you related to activities under this Policy, we will affirm that your actions complied with this policy, however, we shall bear no liability or responsibility in connection with such third party’s claims.

Thank you for contributing to Aprimo’s security program!