We are Readdle Limited (“Readdle”, “we”, “our”, “us”), and we manage the PDF Expert desktop and mobile applications and our website pdfexpert.com
Security is one of our core values, and we highly appreciate the input from security professionals acting in good faith that helps us maintain a high standard for the security and privacy of our users.
This PDF Expert Responsible Disclosure Policy (“Disclosure Policy”) sets out our definition of good faith in the context of finding and reporting vulnerabilities, describes what systems and types of research it covers, how to send us vulnerability reports, and what you can expect from us in return. By “good faith,” we understand you acting in accordance with the DOs and DON’Ts as set forth below.
If you believe you have discovered a security or privacy vulnerability that affects the PDF Expert software, services, or web servers, please report it to us as described in this Disclosure Policy.
When you do vulnerability research of PDF Expert and issues reporting, you agree to comply with this Disclosure Policy and all applicable laws and regulations, including those that govern privacy or lawful processing of personal data.
Guidelines
To distinguish between legitimate vulnerability research and malicious attack, we require security researchers to
DO:
- Play by the rules. This includes following this Disclosure Policy and any other relevant agreements
- Report any vulnerability you have discovered promptly via the Official Channel (see Reporting below)
- Use only the Official Channel to discuss vulnerability information with us
- Ensure the confidentiality of discovered vulnerabilities details: refrain from publishing in any manner any information about vulnerabilities you have discovered
- Perform testing only on in-scope systems
- If a vulnerability provides unintended access to data, you must (1) limit the amount of data you access to the minimum required for effectively demonstrating a proof of concept, (2) cease testing and (3) submit a report immediately if you encounter any user data during testing, such as personally identifiable information (“PII”), personal healthcare information (PHI), credit card data, or proprietary information
- Interact only with test accounts you own or accounts you have explicit permission to use from the account holder
DO NOT:
- Violate the privacy of others, disrupt our systems, destroy data, and/or harm user experience
- Perform testing systems and activities which are out-of-scope (see below)
- Engage in extortion
- Perform any ‘denial of service’ types of attacks
Our Commitments
Provided you strictly follow this Disclosure Policy, we commit to:
- Extend Safe Harbor (as defined below) for your vulnerability research
- Collaborate with you to understand and validate your report, including providing timely initial response to the submission
- Work to remediate discovered vulnerabilities in a timely manner
- Recognize your contribution to improving our security in accordance with the Rewards section of this Disclosure Policy, provided (1) you were the first person to report a unique vulnerability and (2) your report triggers a code or configuration change
Safe Harbor
Provided you strictly follow this Disclosure Policy, we shall consider your vulnerability research to be:
- Authorized in view of any applicable anti-hacking laws: we will not initiate or support legal action against you for accidental good faith violations of this Disclosure Policy
- Authorized in view of relevant anti-circumvention laws: we will not bring a claim against you for circumvention of technology controls
- Exempt from our Terms of Service restrictions that would interfere with conducting security research, and we waive those restrictions on a limited basis
- Lawful, helpful to the overall security of the Internet, and conducted in good faith
We expect your, compliance with all applicable laws. If legal action is initiated by a third party against you and you have complied with this Disclosure Policy, we will take commercially reasonable steps to make it known to the third party that your actions were conducted in compliance with this Disclosure Policy.
If you have concerns or are uncertain whether your security research is consistent with this Disclosure Policy, please submit a report through our Official Channel before going any further.
Scope
The following services and applications are in-scope:
- The pdfexpert.com website, pdfexpert.de and related subdomains
- All related PDF Expert services and functionality, APIs, back-ends, and infrastructure
- PDF Expert applications on iOS and macOS
- Any public (Internet-facing) infrastructure owned and operated by Readdle and related to PDF Expert:
- Examples include firewalls, networking devices, compute instances, proxies, etc.
- Any public cloud (e.g. AWS, DigitalOcean, Hezner) resource or infrastructure operated and managed by Readdle and related to PDF Expert:
- Public cloud storage accounts (e.g. AWS cloud storage buckets)
- Public cloud computing resources (e.g. AWS instances)
- Anything with a significant impact across our entire security posture or infrastructure.
Out of Scope
- Attacks that require using an outdated operating system, browser, and/or PDF Expert software
- Attacks designed or likely to degrade, deny, or adversely impact services or user experience (e.g., Denial of Service, Distributed Denial of Service, Brute Force, Password Spraying, Spam, etc.)
- Attacks designed or likely to destroy, corrupt, or make unreadable (or attempts therein) data or information that does not belong to you
- Attacks designed or likely to validate stolen credentials, credential reuse, account takeover (ATO), hijacking, or other credential-based techniques
- Intentionally accessing data or information that does not belong to you beyond the minimum viable access necessary to demonstrate the vulnerability
- Performing physical, social engineering, or electronic attacks against Readdle personnel, offices, wireless networks, or property
- Reports of non-sandboxed applications that could access PDF Expert application data on macOS or secret tokens inside Keychain
- Security issues in third-party applications, services, or dependencies that integrate with PDF Expert products or infrastructure that do not have a demonstrable proof of concept for the vulnerability (e.g., libraries, SAAS services);
- Security issues or vulnerabilities created or introduced by the reporter (e.g., modifying a library we rely on to include a vulnerability for the sole purpose of receiving a reward)
- Attacks performed on any systems not explicitly mentioned as authorized and in-scope;
- Reports of missing ‘best practices’ or other guidelines that do not indicate a security breach
- Reports of security issues related to deliberately setting weak security controls by the account owner (e.g., using a storage account with a weak password)
- Reports of successful Keychain or application data extraction on jailbroken iOS devices
- Reports of missing source code obfuscation in application binary files or embedded interpreted code
- Vulnerabilities requiring physical access to the victim’s unlocked device
- Reports generated from automated vulnerability assessment tools
- Missing cookie flags on non-sensitive cookies
- Reports of insecure SSL/TLS ciphers (unless accompanied by working proof of concept)
- Reports of simple IP or port scanning
- Missing HTTP headers (e.g., lack of HSTS)
- Reports of missing Domain Name System Security Extensions (DNSSEC)
- Email security best practices or controls (e.g., SPF, DKIM, DMARC)
- Software or infrastructure bannering, fingerprinting, or reconnaissance with no proven vulnerability
- Reports of the presence of version information
- Reports of old versions of the software without demonstration of vulnerability in PDF Expert apps
- Clickjacking or self-XSS reports
- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls or running unsigned software
- Reports of publicly resolvable or accessible DNS records for internal hosts or infrastructure
- Reports of user-provided remote code execution in sandboxed environments (e.g., running JavaScript inside PDF documents)
- Domain-based phishing, typosquatting, punycodes, bitflips, or other techniques;
- Leakage of sensitive tokens, passphrases, and keys to trusted third parties on a secure connection (HTTPS)
- Reports that are based on having full control of authorized user session (e.g., victim is using a compromised system or distracted from a public computer before logging out);
- Reports of CSRF for logout endpoint
- Reports of privilege escalation attempts that change the application user interface but does not actually expose or modify any data on the server
- Reports of bypassing IP-based rate limits by using the pool of IP addresses
- Reports of text injection for AWS S3 buckets, based on Invalid URI error message (also applicable to other cloud object storage services).
Rewards
We believe in recognizing the work of others that helps us to improve.
Readdle provides rewards to vulnerability reporters at its discretion. You can use the following indicative values for general guidance:
- Critical (9.0-10.0) — $3000+
- High (7.0-8.9) — $1000
- Medium (4.0-6.9)— $500
- Low (0.1-3.9) — up to $100
The reward amount shall depend on the severity of discovered vulnerability as determined by CVSS v3.1.
When duplicates occur, we award the first report that we can completely reproduce. Multiple vulnerabilities caused by one underlying issue will be awarded one reward.
We do not offer rewards for software issues that do not have a security or privacy impact.
Reporting
To report a security or privacy vulnerability, send an email to [email protected] (“Official Channel”) and include appropriate steps to reproduce logs and, optionally, videos in your message.
Please report different findings by sending separate emails with a relevant subject each.