RESPONSIBLE DISCLOSURE POLICY

At SaaS Labs US, Inc. (hereinafter, “SaaS Labs”), ensuring the safety and security of our customer's data and the reliability of our products are of utmost importance to us. Therefore, we strive to design and create products with the highest levels of security and reliability. Despite our best efforts, our products and services may still contain vulnerabilities and errors due to their highly complex and sophisticated nature.

Purpose

This policy outlines SaaS Lab's methods for identifying and addressing potential vulnerabilities and errors in its products. It encourages external parties to report any issues they may encounter while using our products so that we can promptly investigate and resolve them. SaaS Lab encourages customers, users, researchers, partners, and anyone else who interacts with SaaS Labs' products to report any identified vulnerabilities or errors with such products.

Submitting a Report

The preferred method of contacting SaaS Labs regarding vulnerabilities and errors is sending your report to security@saaslabs.co. Please include the following details with your report:

• Description of the location and potential impact of the exposure;
• A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and

Your name/handle and a link for recognition in our Hall of Fame.

Please be assured that providing your name and contact information with your report is entirely optional and at your discretion. SaaS Labs values all reports that are submitted, whether anonymously or with name and contact information. Rest assured that SaaS Labs is committed to respecting your privacy. In the event that you do choose to submit your name and contact information, SaaS Labs will only use such information to reach out to you if any clarification on the details of your report is necessary and to include your name in the Hall of Fame.

What to Expect

SaaS Labs will endeavor to acknowledge the receipt of your report within three (3) working days of submission. You will be kept informed of our progress and completion of any remediation actions pursuant to your report. SaaS Labs will also work with you to understand and resolve the vulnerability quickly.

By submitting a report, you acknowledge and agree to the following terms:
SaaS Labs reserves the right to use your report for any relevant purpose, including but not limited to correcting any vulnerabilities and errors that are reported and deemed necessary by SaaS Labs. If you propose any changes or improvements to a SaaS Labs product or service in your report, you are assigning all ownership and usage rights of those proposals to SaaS Labs.

Guidelines for Responsible Disclosure

Scope

• *.saaslabs.co
• *.helpwise.io
• app.helpwise.io
• *.helpwise.help
• *.helpwisemail.com

Out-of-Scope Vulnerabilities

Any services hosted by third-party providers and services are excluded from the scope.

In the interest of the safety of SaaS Labs's users, staff, the Internet at large, and you as a security researcher, the following test types are excluded:

• Denial of service
• Spamming emails or messages
• Social engineering (including phishing) of SaaS Labs staff or contractors or SaaS Labs subsidiaries' staff
• Any physical attempts against Helpwise property or data centres
• Content spoofing / text injection
• Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]
• Logout and other instances of low-severity Cross-Site Request Forgery
• Open redirects with low-security impact (exceptions are those cases where the impact is higher such as stealing oauth tokens)
• Missing http security headers
• Missing cookie flags on non-sensitive cookies
• Password and account recovery policies, such as reset link expiration or password complexity
• Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)
• SSL/TLS best practices
• Clickjacking/UI redressing with no practical security impact
• Username / email enumeration via Login Page or Forgot Password Page error
• Modification of Messages

If you have any clarifications to make, contact us at security@saaslabs.co

Rules:

You will not:

• Exploit or use the discovered vulnerabilities and/or errors, except for reporting to SaaS Labs;
• Conduct testing/research of systems with the intention of harming SaaS Labs, its customers, employees, partners or suppliers;
• Use, misuse, delete, alter or destroy any data related to the vulnerability and/or error discovered;
• Conduct social engineering, spamming, phishing, denial-of-service or resource-exhaustion attacks;
• Test the physical security of any property or building of SaaS Labs;
• Breach any applicable laws or regulations in connection with your interaction with SaaS Labs' products that lead to your report.
• Disclose to any third party any information related to your report, the vulnerabilities and/or errors reported, and the fact that vulnerabilities and/or errors have been reported to SaaS Labs.
• Demand any reward or benefit, financial or otherwise for disclosing any vulnerabilities;

You will:

• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
• Perform research only within the scope set out above;
• Keep any information you receive or collect about SaaS Labs, its customers or any of their visitors, or employees or agents in connection with this policy (“Confidential Information”) confidential.

If you follow SaaS Labs Responsible Disclosure Policy when reporting an issue, then SaaS Labs will:

• Not pursue or support any legal action related to your research;
• If you are the first to report the issue and we make a code or configuration change based on the issue.

SaaS Labs reserves the right to modify or amend any terms of this Policy at any time without any notice.

Hall of Fame

At SaaS Labs, we use our Hall of Fame program to recognize people who have responsibly shared one or more security vulnerabilities in our products, enabling us to serve our customers better. Please refer to the Security Hall of Fame for details. Decision to include you in the Hall of Fame is at the sole discretion of SaaS Labs.