Dualog Vulnerability Disclosure Program

Introductory Remarks

Dualog recognises that the security community is a force in our quest to provide a safe and secure experience for Dualog's customers. 

Our Vulnerability Disclosure Program aims to enable us to keep a high standard with regards to security in all our products and digital services, on-premises, throughout our operations and in the cloud environment. Please remember that only security vulnerabilities will qualify. To ensure that your observations are properly reported you shall use only approved channels, namely, you should report discovered vulnerability via email to security@dualog.com.

 

Guidelines and Scope limitations

  1. You cannot cause any harm, hinder application fluency or act against our Terms of Service or our GDPR addenum.
  2. Remember to provide a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during the discovery that will allow us to reproduce the vulnerability.
  3. We encourage the use of the Common Vulnerability Scoring System (CVSS) as a framework for communicating the characteristics and severity of software vulnerabilities. 
  4. Do not intentionally access non-public Dualog data anymore than is necessary to demonstrate the vulnerability.
  5. You shall be aware that you cannot compromise the privacy or safety of our customers and the operation of our services. Such activity will be treated as illegal.
  6. You must comply with applicable laws and regulations.
  7. You may not disclose any vulnerability without prior written consent from Dualog.

 

Process

Your submission will be reviewed and validated by a member of the Product Security Incident Response Team. 

  • When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.
  • Including a proof-of-concept for desktop vulnerabilities will expedite our investigation.
  • If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report.
  • When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate. 

 

Activity considered to be out of scope

We accept only manual or semi-manual tests. We will consider all findings coming from automated tools or scripts as out of scope. Furthermore, issues without clearly identified security impact, missing security headers, or descriptive error messages will be considered out of scope. We reserve our right not to act in case of findings with no real risk impact on our data integrity and security. All researches violating our Terms of Service and GDPR-related documentation as well as governing law shall be treated as acting in bad faith and thus illegal. 

 

Disclosure

Dualog will collaborate with finders in good faith who wish to disclose vulnerabilities. To protect our customers, we expect that finders will wait until a fix has been made available and communicated to impacted customers, or a reasonable period of time has elapsed since notification.

 

Rewards

We are not obliged to provide remuneration, fee or rewards for any vulnerability disclosure – such action remains in our full discretion. 

 

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorised conduct, and we will not initiate legal action against you. 

 

Questions?

If you have any questions, please feel free to contact our CISO Geir Inge Jensen or send an inquiry to security@dualog.com