Vulnerability Disclosure Program (VDP)

Introduction

Kaseware is committed to maintaining the security, confidentiality, and availability of our systems and customer data. We welcome responsible security research and encourage individuals to report potential vulnerabilities in accordance with our Vulnerability Disclosure Program (VDP).

This program is intended to provide clear guidelines for security researchers and to ensure reported issues are handled in a responsible, coordinated manner.

Scope

This Vulnerability Disclosure Program applies to externally accessible systems operated and maintained by Kaseware supporting its Government and Commercial SaaS environments. The following domains are in scope:

In-scope components include publicly accessible web applications and authentication workflows that enable secure user access and platform functionality.

Out of Scope

The following are not authorized under this program:

  • Denial-of-service (DoS) or resource exhaustion testing
  • Social engineering (including phishing or vishing)
  • Physical security testing
  • Testing of internal-only systems or administrative interfaces not publicly accessible
  • Underlying cloud infrastructure or third-party services not directly operated by Kaseware
  • Automated scanning that materially degrades performance or disrupts service
  • Any activity that could impact system availability, integrity, or customer operations

If there is uncertainty regarding scope, please contact us before conducting testing.

Rules of Engagement

Researchers must:

  • Conduct testing in a non-destructive manner
  • Limit exploitation to proof-of-concept only
  • Avoid accessing, modifying, or exfiltrating customer or sensitive data
  • Immediately cease testing and report the issue if sensitive data is inadvertently accessed
  • Refrain from establishing persistence, privilege escalation beyond proof-of-concept, or service disruption

Testing must comply with all applicable laws and be performed in good faith.

Safe Harbor

Kaseware considers security research conducted under this policy to be authorized and performed in good faith. We will not pursue legal action against individuals who responsibly report vulnerabilities in compliance with this program, provided that such activities:

  • Are limited to the in-scope systems listed above
  • Adhere to the testing restrictions defined in this policy
  • Do not intentionally access, modify, or exfiltrate sensitive or regulated data
  • Do not degrade system availability or disrupt customer operations
  • Exclude social engineering, physical testing, and denial-of-service techniques

This safe harbor does not apply to activities that are malicious, reckless, or conducted outside the boundaries of this policy.

Reporting Process

To report a potential security vulnerability, please use the secure submission form below.

[ <script async

 src=”https://bugcrowd.com/6cae53da-918c-4920-9fc0-de2afdca3d5f/external/script

 data-bugcrowd-program=”https://bugcrowd.com/6cae53da-918c-4920-9fc0-de2afdca3d5f/external/report“></script>]

Upon submission:

  • Reports will be reviewed by our security team
  • Receipt will be acknowledged within a reasonable timeframe
  • Valid findings will be investigated and remediated according to risk and operational considerations
  • We may coordinate with the reporter regarding responsible disclosure timing

Researchers should not publicly disclose vulnerabilities until remediation has been completed or disclosure timing has been agreed upon in writing.

Program Notes

This program is a vulnerability disclosure initiative and does not provide monetary rewards.

Kaseware takes reported vulnerabilities seriously as part of its ongoing security and continuous monitoring practices.