Security Research Program

LOGIN REGISTER

    > responsible_disclosure_protocol
Security Research Policy
        This document defines the rules of engagement for independent
        researchers interacting with ESC infrastructure, applications,
        APIs and related assets.
      

    > safe_harborESC will not initiate legal action against researchers who:
• Act i        n good faith
• Test only in-scope assets
• Avoid privacy violations
• Avoid service disruption
• Report vulnerabilities privately
• Provide reasonable remediation time before disclosure
Compliance with this policy preserves safe harbor protection.

    > allowed_attack_surface
          web vulnerabilities
          • SQL Injection (error-based, blind, time-based)
• Cross-Site Scripting (reflected, stored, DOM)
• Server-Side Request Forgery (SSRF)
• XML External Entity (XXE)
• Remote Code Execution (RCE)
• Insecure Deserialization
• Template Injection
• Open Redirect

        

          auth & access control
          • IDOR (Insecure Direct Object Reference)
• Broken Authentication
• Privilege Escalation
• Multi-factor bypass
• Session fixation / hijacking
• JWT manipulation

        

          api & infrastructure
          • Misconfigured S3 / object storage
• Exposed admin interfaces
• Subdomain takeover
• CORS misconfiguration
• GraphQL introspection abuse
• Rate limiting bypass

        

          business logic flaws
          • Payment manipulation
• Coupon abuse
• Race conditions
• Workflow bypass
• Data validation flaws

        

    > prohibited_actions
          destructive activity
          • Denial of Service (DoS/DDoS)
• Data destruction or modification
• Malware deployment
• Cryptomining
• Brute-force attacks at scale

        

          unauthorized operations
          • Accessing real user accounts
• Bulk data exfiltration
• Social engineering
• Phishing campaigns
• Physical intrusion attempts

        

    > severity_model
          Severity is evaluated using impact, exploitability,
          and potential business risk.
        
critical – RCE, auth bypass, data exfiltration at scale
high – privilege escalation, sensitive data exposure
medium – stored XSS, business logic abuse
low – minor misconfigurations

    > triage_processSubmission received and logged
Initial validation within 72 hours
Impact assessment and severity classification
Engineering remediation
Researcher acknowledgment and reward decision

          Average remediation timeline depends on severity level.
        

    > coordinated_disclosure
          Public disclosure must be coordinated with ESC.
          Unauthorized publication before remediation voids safe harbor.
        

          Recommended disclosure timeline: 90 days unless otherwise agreed.
        

          Extensions may be negotiated for complex vulnerabilities.
        

    > disclosure_channel
        Submit full technical details, reproduction steps, impact analysis,
        and proof-of-concept.
      
security@esc-software.com
  