Vulnerability Disclosure Policy

As of September 2023

Table of contents

  1. Introduction
  2. Purpose of this policy
  3. How to report a security finding
  4. Limitations
  5. Our Commitment
  6. Responsible Disclosure

Introduction

Jedox is the world’s most adaptable business planning and performance management plat-form, enabling companies to create business plans that exceed their previous results and expectations. More than 2,500 companies in 140 countries rely on Jedox to model any scenario, integrate data from a wide range of sources and simplify planning across the enterprise and across systems. Jedox creates an environment where users collaborate better, respond faster to change, make informed decisions and realize previously unrecognized opportunities.

We at Jedox are deeply committed to safeguarding the security of the information that is processed when our products are used. For this purpose we have implemented a comprehensive information security cluster of which this policy forms a substantial part.

Purpose of this policy

This policy serves to provide you with information relevant to the submission of vulnerabilities in Jedox products. Please be aware that by submitting a vulnerability you acknowledge the applications of this policy.

How to report a security finding

If you believe that you have made a finding regarding the security of a Jedox product, please forward your findings to either of the following addresses:

  • [email protected] will automatically create a ticket in HackerOne and onboard you into the platform where your eligibility for a bounty is assessed.
  • [email protected] will allow our internal experts to receive your message and review your finding

Your message will need to contain the following information in order to be assessed:

  • Type of security issue
  • How you found the security issue
  • Whether the security issue has been published or shared with others
  • Affected products and versions
  • Affected configurations
  • Exposure or possible exposure of any personal information
  • Description of the location and potential impact of the security issue

To ensure adequate encryption of the communication, please use the pgp-key provided under the following sub-page: https://www.jedox.com/.well-known/security.txt

Limitations

Jedox reserves all of its legal rights if you do not follow the responsible disclosure guidelines. In the interest of the safety of our users, employees, the internet at large, and you, the following test types are excluded from scope:

  • Findings from physical testing such as offsite access (e.g. open doors, tailgating)
  • Findings derived primarily from social engineering (e.g. phishing, whaling)
  • UI and UX bugs and spelling or grammar mistakes
  • Network level Denial of Service (DoS/DDoS) weaknesses
  • Destruction or corruption of (or attempts to destroy or corrupt) data or information that belongs to Jedox or its customers.
  • Attacks against our infrastructure exceeding the scope of our application.

Our Commitment

At Jedox, we value the contributions of security researchers and reporters who help us improve the security of our systems, products, and services. Our commitment includes the following principles:

I. Confidentiality and Privacy

We treat all vulnerability reports as confidential and respect the privacy of those who report them. We will not disclose your identity or the details of the vulnerability

without your explicit consent, except as required by law.

II. Legal Protection

We will not pursue legal action against security researchers or reporters who submit vulnerability reports in good faith and in compliance with this policy as well as the law. We appreciate your efforts in helping us secure our systems.

III. Acknowledgment and Recognition
We acknowledge and appreciate the efforts of security researchers and reporters who help us identify and mitigate vulnerabilities. If eligible under HackerOne, you will receive a bounty for your finding.

IV. Timely Response and Resolution

We are committed to promptly acknowledging the receipt of vulnerability reports within 10 business days and conducting a thorough investigation. Throughout the process, we will maintain open and transparent communication with you, keeping you informed of our progress and the status of the vulnerability’s resolution.

Responsible Disclosure

Jedox is committed to the timely remediation of vulnerabilities in the Jedox Platform. However, we recognize that the public disclosure of a vulnerability in the absence of a readily available remediation may increase the risk of exposure to our customers. Accordingly, we request that you refrain from sharing information about discovered vulnerabilities for 90 calendar days after you have received our acknowledgement of receipt of your report.

We furthermore request you to make sure that your security research does not:

  • compromise the privacy of individuals,
  • facilitate the destruction or loss of data,
  • slow the system down for users,
  • results in a violation of laws such as, but not limited to data protection laws, laws on the protection of trade secrets, laws on computer fraud or on hacking.