Responsible Disclosure of Security Vulnerabilities
If you have discovered a vulnerability on CRM in Cloud, we request that you responsibly disclose the vulnerability to our security team by taking the following steps:
Ranking Vulnerabilities
All reported vulnerabilities are checked for validity, ranked, and then reviewed by the TeamSystem Application Security team.
TeamSystem has established a Vulnerability Ranking Matrix based on NIST's Common Vulnerability Scoring System V3).
The Vulnerability Ranking Matrix is defined below. Vulnerabilities are ranked using the guidelines below with assistance from the NIST CVSS Calculator).
The final ranking for a vulnerability is the sole discretion of TeamSystem Application Security team.
Critical
CVSS >= 9.0 Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, large scale access to PII, etc.
Example: Vulnerabilities that result in unrestricted Remote Code Execution such as Vertical Authentication bypass, SSRF, XXE, SQL Injection, User authentication bypass.
High
CVSS 7.0 - 8.9 Vulnerabilities that affect the security of the platform including the processes it supports.
Example: Lateral authentication bypass, Stored XSS, some CSRF depending on impact.
Moderate
CVSS 5.0 - 6.9 Vulnerabilities that affect multiple users and require little or no user interaction to trigger.
Example: reflective XSS, direct object reference, URL Redirect, some CSRF depending on impact.
Low
CVSS < 5.0 Issues that affect singular users and require interaction or significant prerequisites (MITM) to trigger.
Example: Common flaws, Detailed debug information.
Acceptable
Non-exploitable weaknesses and “won’t fix” vulnerabilities, best practices, mitigations, issues that are by design or acceptable business risk to the customer such as use of CAPTCHAS.
Best Practice
"Best practice" type reports (e.g. DNSSEC, missing HTTP security headers, SPF, DKIM, DMARC, etc.).
In Scope Domains
The following domains are included in this program.
In Scope Applications
The program is limited to the following applications.
PGP Key