Reporting a security issue
At Acquia we take the security of our products very seriously. We educate our staff on security best practices and our development process includes quality assurance steps to ensure our products are of high quality and secure. However, like all complex software products, it is possible that a security vulnerability may be present in one of our products. If you discover a security issue or vulnerability in an Acquia product or service, we ask that you report this to us confidentially.
Please email the details to our security team at [email protected] We appreciate responsible disclosure and will acknowledge security researchers when an issue has been reported, adhering to the following parameters.
Acquia does not currently have a bug bounty program in place, however we are happy to credit researchers with their name and a link to an address of their choosing (e.g. Twitter or personal website) on our Hall of Fame below.
Parameters and exclusions
- Do not access, destroy or negatively impact Acquia’s or its customers’ data in any way.
- Do not use automated scanners. (The use of automated scanners may result in investigative action and your IP being blocked.)
- You make a good faith effort to avoid privacy violations and interruption or degradation of Acquia’s services during your research. (e.g. Denial of Service)
- Do not conduct any type of physical or electronic attack against Acquia’s personnel, offices or data centers.
- You allow Acquia reasonable time to investigate your report and carry out any necessary remediation.
- Do not violate any laws or breach any prior agreements.
Please do not report the following issues:
- Displayed server software banners or other version information.
- Descriptive error messages.
- Missing HTTP security headers. ( e.g. X-Frame-Options )
- Missing or incorrect SPF records.
- CSRF on forms that are available to anonymous users
- Username / email enumeration
- Disclosure of known public files. (e.g. robots.txt)
Acquia will not initiate legal actions against researchers, as long as they adhere to these parameters. Acquia reserves the right to only credit researchers who have reported an issue that is proven and of sufficient severity.
What details should you include when reporting a security issue
Please provide as many relevant details as you can, such as:
- How the vulnerability can be exploited and the potential impact.
- How you discovered the vulnerability and clear steps to reproduce.
- Any proof of concept attack and/or images showing the attack vector.
- Any known patches or controls to mitigate the vulnerability.