Our commitment to security
At Panorama9 we take security seriously. We know you trust us with your data and so protecting it is our first priority. Most of the team have background in IT security in one form or another and a few of us are downright paranoid when it comes to security. We take pride in making the most secure IT administration tools available and believe in security-out-of-the-box.
That said we also know that no software is ever a 100% secure and so we ask you to follow responsible disclosure if you should find a security flaw in our service. If you think you found a security flaw in our product please contact email@example.com.
Responsible disclosure policy
Simple rules for testing security:
- Please report your findings to firstname.lastname@example.org with enough detail to allow us to reproduce the issue.
- Please only test against your own account and with your own data (if you ask nicely we can give you multiple test accounts to try stuff out with).
- Don't DOS, spam, fish or break things for our other users.
- Don't disclose security flaws publicly before we have a chance to fix the flaw.
If you do that we in turn promise to:
- Fix the flaw quickly (some things take hours, some things may take weeks).
- Credit you for your help.
- Keep lawyers and law enforcement out of the matter.
A few notes on what and how to report
A report with copy pasta from a scanning tool, just a zip file attached or a video as proof of concept is not as helpful as a real textual description of the bug in question.
We are primarily interested in bugs found in our:
- Web applications (the Dashboard and MSP Control Panel),
- agent software (Windows, Linux and OSX versions),
- general infrastructure (we use and integrate with a lot of third party services).
We are not interested in reports on SPF or other mail settings. We are quite happy with how that is setup, thank you.
The Panorama9 team would like to thank the following individuals for responsibly disclosing security flaws to us.
- Ben Creitz (@cvcrckt): Exploration found instances of missing sanitization of user input. Resulted in improved sanitizing of user input in the Dashboard.
- Vladislav Mladenov, Julian Krautwald, Florian Feldmann and Christian Mainka (@CheariX), security researchers at Horst Görtz Institute for IT-Security / Chair for Network and Data Security: Found a flaw in the SAML verification of the SSO integration. Resulted in improved security for SAML based SSO with Panorama9.
- Mohamed Abdelbaset Elnoby (@SymbianSyMoh), security researcher at W3Pwn: Found a potential click-jacking vulnerability. Resulted in improved protection against click-jacking and CSRF attacks.
- Evan Ricafort (www.evanricafort.com) and Ali Kabeel, facebook.com/ali.kabeel, security researchers: Found a weakness with password reset tokens. Resulted in reduced risk if a user should loose control of his/her mail account.
- Shahmeer Amir (Maadssec), security researcher: Scanning found a testing server vulnerable to POODLE attack. Resulted in hardened security of our test environment.
- Ashish Dhaduk (@ashishbdhaduk): Exploration found an instance of missing sanitization of user input. Resulted in improved sanitizing of user input in the MSP Control Panel.
- Muhammad Abdullah (hackerone.com/mahitman): Exploration found instances of missing sanitization of user input. Resulted in improved sanitizing of user input in the Dashboard.
- SaifAllah benMassaoud (facebook.com/WhiteHatSecuri), security researcher: Scanning found a login page vulnerable to the Logjam attack. Resulted in improved protection against MITM downgrade attacks.
- Shawar Khan (facebook.com/shawarkhanskofficial), security researcher: Exploration found a weakness in the password change functionality. Resulted in improved checks of new passwords.
- Pratyush Anjan Sarangi: Scanning found redirect vulnerability on corporate website.
- Muhammad Osama (facebook profile), security researcher: Exploration found an instance of missing sanitization of user input. Resulted in improved sanitizing of user input in the MSP Control Panel.
- Mehdi Benkaddour (facebook profile, @DocteurSQL): Discovered a vulnerability in a WordPress plug-in called Hupso Share Buttons - a security hole into the Panorama9 blog.
- Ali Tabish (@connect_tabish, facebook profile): Discovered a vulnerability in the login page that meant the user email could be cached and later viewed by non-authorized persons under certain circumstances.