What is the VDP?
Safeguarding the security and integrity of the Acqueon platform is critical to the service we provide to our customers, and we are dedicated to providing a secure product. We acknowledge, and value the experience, that the security research community frequently provides, and Acqueon recognizes that developing a close relationship with the community will help improve our own security.
If you have discovered or believe you have discovered potential security vulnerabilities within Acqueon services, we urge you to disclose your discovery to us in accordance with this Responsible Disclosure Program. Please be aware that this program has no monetary awards.
Where Do I Start?
Discovering Security Vulnerabilities
We encourage responsible security research on the Acqueon services and products. Upon prior written approval we permit you to conduct vulnerability research and testing on the Acqueon Services to which you have authorized access. Requests are to be sent to cybersecurity@five9.com.
In no scenario shall your research and testing involve:
- Accessing, or attempting to access, accounts or data that does not belong to you or your Authorized Users,
- Any attempt to modify or destroy any data,
- Executing, or attempting to execute, a denial of service attack,
- Sending, or attempting to send, unsolicited or unauthorized email, spam or other forms of unsolicited messages to any Acqueon employee or contractor
- Testing third party websites, applications or services that integrate with Acqueon Services,
- Posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software, or otherwise attempting to interrupt or degrade the Acqueon services, and
- Any activity that violates any applicable law, or breaching any agreements in order to discover vulnerabilities
Reporting Security Vulnerabilities
Pending written approval from Acqueon to conduct the research, if you believe you have discovered a security vulnerability issue, please share the details with Acqueon by filling the form below.
Issues not to Report
- Disclosure of known public files or directories (e.g. robots.txt)
- Banner disclosure on common/public services
- HTTP/HTTPS/SSL/TLS security header configuration suggestions
- Lack of Secure/HTTPOnly flags on non-sensitive cookies
- Phishing or Social Engineering Techniques
- Presence of application/web browser ‘autocomplete’ or ‘save password’ operations
- Sender Policy Framework (SPF) configuration suggestions
- DMARC configurations
- Clickjacking / UI Redressing
Safe Harbor
When conducting vulnerability research according to this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
- You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.
Acqueon Security Team Commitment
Please understand that your research is considered the Confidential Information of Acqueon and any publication, reproduction or other distribution of any of the research is expressly prohibited without Acqueon’s prior written consent. If you responsibly submit a vulnerability report, the Acqueon security team and associated development organizations will use reasonable efforts to:
- Respond in a timely manner, acknowledging receipt of your vulnerability report
- Provide an estimated time frame for addressing the vulnerability report
- Notify you when the vulnerability has been fixed