Security auditing and Vulnerability management
To continuously assure a reliable and secure product for its customers, Siteimprove has its application suite tested for security vulnerabilities, both internally and externally.
Internally, this is done through quality checks before each release as well as 'bug hunting' sessions, where Siteimprove developers will try out new features in order to discover if the application is not responding as it should.
Externally, this is done by a 3rd party entity that specializes in penetration testing services. The process concludes with a vulnerability report which will serve as input for the development of the application. This process is repeated every 6-9 months to verify that previously discovered vulnerabilities have been fixed and to uncover new vulnerabilities. The detailed vulnerability report as well as the detailed plan for fixing the vulnerabilities will not be shared with external parties due to the confidentiality of its contents. Siteimprove can provide to customers, upon request and a signed NDA, a high-level summary proving the fact that the penetration test has been done by a 3rd party entity.
Reporting a potential Security vulnerability
Siteimprove Security acknowledges the valuable role that independent security researchers play in internet security. As a result, we encourage responsible reporting of any vulnerabilities that may be found in our site or applications. Siteimprove is committed to working with security researchers to verify and address any potential vulnerabilities that are reported to us.
- Review the Independent Security Research guidelines further below in this document
- Privately share details of the suspected vulnerability with Siteimprove by sending an email to [email protected]
- Provide full details of the suspected vulnerability so the Siteimprove security team may validate and reproduce the issue
After receiving a vulnerability report, Siteimprove commits to :
- Respond in a timely manner, acknowledging receipt of your vulnerability report
- Prioritize the issue internally based on report analysis
- Fix the vulnerability if applicable
Independent security research guidelines
Only the following domains and sub-domains are in scope for independent security research.
In-Scope list :
- my.siteimprove.com
- my2.siteimprove.com
- id.siteimprove.com
- sso2.siteimprove.com
- www.siteimprove.com
Any other Siteimprove related domain or sub-domain that is not mentioned above is not in scope for independent security research.
While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:
- Performing actions that may negatively affect Siteimprove or its users (e.g. Spam, Brute Force, Denial of Service)
- Accessing, or attempting to access, data or information that does not belong to you
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
- Conducting any kind of physical or electronic attack on Siteimprove personnel, property or data centers
- Social engineering any Siteimprove service desk, employee or contractor
- Violating any laws or breaching any agreements in order to discover vulnerabilities
- Testing any other sub-domain/domain that is not in the In-Scope list above
Vulnerability acknowledgement
Siteimprove does not currently offer financial compensation for any discovered vulnerabilities but would like to thank the following organizations and individuals that have reported security issues affecting our online services.
- Mohammed Israil (@mdisrail2468)
- Jens Müller (@jensvoid)
- Remesh Ramachandran (www.remeshr.com)
- Dava Wardana (linkedin.com/in/dava-wardana140502)