Skip to main content

Looking for Valuant? You are in the right place!

Valuant is now Abrigo, giving you a single source to Manage Risk and Drive Growth

Make yourself at home – we hope you enjoy your new web experience.

Looking for DiCOM? You are in the right place!

DiCOM Software is now part of Abrigo, giving you a single source to Manage Risk and Drive Growth. Make yourself at home – we hope you enjoy your new web experience.

Vulnerability Disclosure Program

Guidelines for Security Researchers

The Vulnerability Disclosure Program is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey Abrigo’s preferences in how to submit discovered vulnerabilities.

Abrigo encourages outside parties and security researcher to submit reports to Abrigo regarding potential vulnerabilities in Abrigo systems and platforms.

 

Authorization

Security researchers making a good faith effort to comply with this Program during their research will be considered authorized. Abrigo will work with any such security researcher to understand and resolve the issue, and Abrigo will not recommend or pursue legal action related to such research. Should legal action be initiated by a third party against the security researcher for activities conducted in accordance with this Program, Abrigo will make this authorization known.

 

Guidelines

Under this Program, “research” means activities in which an outside party:

  • Notifies Abrigo as soon as possible upon discovery of an actual or potential security issue
  • Makes every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data
  • Only uses exploits to the extent necessary to confirm the presence of a vulnerability, and does not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
  • Provides Abrigo with a reasonable amount of time before disclosing identified vulnerabilities publicly
  • Does not submit a high volume of low-quality reports

Security researchers that have established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets) should stop testing, notify Abrigo immediately, and refrain from disclosing this data to anyone else.

 

Test Methods

The following test methods are not authorized:

  • Network or application denial of service (DoS) tests, distributed denial of service (DDoS) tests, or other tests that impair access to or otherwise damage a system or data
  • Physical testing (e.g., office access, datacenter access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing

 

Scope

Applications & Systems

This Program applies to specific applications and systems shown as “Included” in the table below. Websites that are not used to provide products or services to customers, or are otherwise deemed low risk to Abrigo, are intentionally noted as “Excluded” from scope.

Included

www.sageworksanalyst.com

uat.sageworksanalyst.com

login.abrigo.com

connect.abrigo.com

 

 Excluded

www.abrigo.com
www.alll.com
www.bankerstoolbox.com
www.farin.com
www.iqautoscan3.com
www.mainstreet-tech.com
www.sageworks.com

Any application or system not expressly listed as “Included” above, such as connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in applications or systems from Abrigo vendors fall outside the scope of this Program and should be reported directly to the vendor according to their disclosure policy. Security researchers that wish to verify whether an application or system is in scope or not should contact [email protected] prior to starting their research.

Although Abrigo develops and maintained other Internet-accessible systems, active research and testing should only be conducted on in-scope applications and systems.

 

Vulnerability Types

Abrigo accepts reports from security researchers regarding most vulnerability types as noted in the “Included” section of the table below. Certain vulnerability types deemed low risk or otherwise deemed within Abrigo’s acceptable risk level are not accepted as itemized in the “Excluded” column.

Included

Authentication and authorization

Cross-site scripting (XSS)

Cross-site request forgery (CSRF)

Directory traversal

Information leakage

Injection vulnerabilities

 

Excluded

Invalid or missing

SPF/DKIM/DMARC records

Missing HTTP headers or cookie flags

Missing cookie flags

Password complexity and reset password flow

Results of automated tools or scanners

SSL/TLS vulnerabilities related to version/cipher

Vulnerability types not expressly listed as “Included” in the aforementioned table may be excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in applications or systems from Abrigo vendors fall outside the scope of this Program and should be reported directly to the vendor according to their disclosure policy. Security researchers that wish to verify if a given vulnerability type is in scope should contact [email protected] prior to starting their research.

Reporting

Vulnerability reports can be submitted to using the inline form below. Reports may be submitted anonymously. Abrigo will acknowledge receipt of a vulnerability report with the security researcher submitting the report to the extent said researcher shared their contact information.

Information submitted under this Program will be used for defensive purposes only, such as mitigation or remediation of vulnerabilities. Abrigo will not share security researcher names or contract information without their express written permission.

Report Recommendations

To assist Abrigo with the triage and prioritization of submissions, the following details are recommended to be included as part of any report:

  • Describe the location in which the vulnerability was discovered and the potential impact of exploitation
  • Offer a detailed description of the steps taken to reproduce the vulnerability (proof of concept scripts or screenshots are helpful)

 

Report Response

For security researchers that elect to share their contact information as part of their report, Abrigo will strive to coordinate with the researchers openly and quickly as follows:

  • Within three (3) business days, Abrigo will acknowledge receipt of the report
  • Where feasible, Abrigo will confirm the existence of the vulnerability and provide transparency as to possible steps Abrigo may take during the remediation process, including any potential issues or challenges that may delay resolution
  • Abrigo will maintain an open dialogue to discuss issues

Vulnerability Report