fbpx

VDP

Vulnerability Disclosure Program

TCM Security Vulnerability Disclosure Program

TCM Security (TCMS) acknowledges that no technology is perfect and believes in collaborating with experienced security researchers worldwide to detect weaknesses. If you suspect a security issue with our product or service, we invite you to inform us, and we will work together to resolve the matter promptly.

Disclosure Policy

TCMS strives to make the disclosure policy as painless as possible for the person submitting the vulnerability report and for TCMS employees. To do so, please exercise the following:

    • Please inform us as soon as possible upon discovering a potential security concern. We will take action to resolve it quickly.
    • Do not reveal the vulnerability to the public or third parties.
    • Exercise caution to prevent privacy breaches, data loss, and disruption or degradation of our service. Only access accounts you own or with the owner’s explicit consent.
    • Submissions that are not accepted or determined to be out of scope are not permitted under any circumstances to be disclosed publicly.

Program Rules

Please exercise caution when testing and submitting reports. The following outlines the rules of the VPD.

    • Submit comprehensive reports with clear steps for reproduction. Incomplete reports may not be triaged.
    • Report only one vulnerability per submission, unless multiple vulnerabilities are required to demonstrate impact.
    • If duplicates are submitted, only the first received (and reproducible) report will be triaged.
    • Multiple vulnerabilities resulting from one underlying issue will be considered as a single valid report.
    • Social engineering tactics such as phishing, vishing, and smishing are prohibited.
    • Exercise caution to prevent privacy breaches, data loss, and disruption or degradation of our service. Only access accounts that you own or with the account holder’s explicit consent.

Assets in Scope

Assets Out of Scope

Any application or endpoint not specified in the Assets in Scope is explicitly out of scope. These include:
    • academy.tcm-sec.com
    • Any information form, contact form, or other form discovered during testing is explicitly out of scope and not to be tested under any circumstances.

    Out-of-Scope Vulnerabilities

    When reporting vulnerabilities, please consider (1) the attack scenario/exploitability and (2) the security impact of the bug. The following issues are considered out of scope:
      • Account lockout or lack of rate limiting (on authentication/forgot password pages) is not enforced.
      • Any form discovered in the course of testing is OUT OF SCOPE. Do not submit payloads in forms.
      • Any activity that could lead to the disruption of our service (DoS). If you are certain that an endpoint is vulnerable to an application-level DoS attack, contact us, and we can test/confirm it.
      • Attacks requiring MITM or physical access to a user’s device.
      • Clickjacking on pages with no sensitive actions.
      • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
      • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
      • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
      • Issues that require unlikely user interaction.
      • Missing best practices in Content Security Policy.
      • Missing best practices in SSL/TLS configuration.
      • Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
      • Missing HttpOnly or Secure flags on cookies.
      • Open redirect – unless an additional security impact can be demonstrated.
      • Previously known vulnerable libraries without a working Proof of Concept.
      • Public Zero-day vulnerabilities that have had an official patch for less than one month will be awarded on a case-by-case basis.
      • Rate limiting or brute force issues on non-authentication endpoints.
      • Social engineering (e.g., phishing, vishing, smishing).
      • Software version disclosure / Banner identification issues / Descriptive error messages, headers (e.g., stack traces, application or server errors), or public files (e.g., robots.txt).
      • Tabnabbing.
      • The takeover of expired or nonexistent social media accounts on our websites (Ex. Twitter, Facebook, Linkedin, etc.).
      • Vulnerabilities only affecting users of outdated or unpatched browsers (Less than two stable versions behind the latest released stable version).
      • Weak CAPTCHA, or where CAPTCHA can be bypassed.

    Safe Harbor

    Conduct following this policy will be deemed authorized, and we will not take legal action against you. Should a third party initiate legal proceedings against you concerning actions carried out under this policy, we will take steps to demonstrate that your activities were carried out per this policy.
    We appreciate your contribution to keeping TCM Security and our users secure.

    Safe Harbor Violations

    TCMS recognizes that human error may occur during responsible testing (i.e., incorrect thread setting leads to violating rate limiting policy). If this occurs, notify TCMS immediately with a detailed description of what happened, when, and how.
    In cases of negligence, or where the tester has not made contact with the VDP program after making an error during testing, TCMS may take the following actions:
      • Written warning and suspension of testing privileges
      • Temporarily or permanently block your IP address from accessing all TCMS assets, including, but not limited to:
      • TCM Security website
      • TCM Security Academy
      • TCM Security exam platform
      • In significant negligence cases, TCM Security will contact law enforcement where appropriate.