Responsible Disclosure of Security Vulnerabilities

If you have discovered a vulnerability on CRM in Cloud, we request that you responsibly disclose the vulnerability to our security team by taking the following steps:

  1. Do not attempt to exploit the vulnerability. Do not share the suspected vulnerability or any data with others. Do not store or copy any unauthorized data.
  2. Email the details to our Security Incident Response Team at security@crmincloud.it.
  3. To ensure the security of the email content you must use our PGP key found below to encrypt the information. Unencrypted content is automatically discarded. ‍

Ranking Vulnerabilities

All reported vulnerabilities are checked for validity, ranked, and then reviewed by the TeamSystem Application Security team.

TeamSystem has established a Vulnerability Ranking Matrix based on NIST's Common Vulnerability Scoring System V3).
The Vulnerability Ranking Matrix is defined below. Vulnerabilities are ranked using the guidelines below with assistance from the NIST CVSS Calculator).
The final ranking for a vulnerability is the sole discretion of TeamSystem Application Security team.

Critical
CVSS >= 9.0 Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, large scale access to PII, etc.
Example: Vulnerabilities that result in unrestricted Remote Code Execution such as Vertical Authentication bypass, SSRF, XXE, SQL Injection, User authentication bypass.

High
CVSS 7.0 - 8.9 Vulnerabilities that affect the security of the platform including the processes it supports.
Example: Lateral authentication bypass, Stored XSS, some CSRF depending on impact.

Moderate
CVSS 5.0 - 6.9 Vulnerabilities that affect multiple users and require little or no user interaction to trigger.
Example: reflective XSS, direct object reference, URL Redirect, some CSRF depending on impact.

Low
CVSS < 5.0 Issues that affect singular users and require interaction or significant prerequisites (MITM) to trigger.
Example: Common flaws, Detailed debug information.

Acceptable
Non-exploitable weaknesses and “won’t fix” vulnerabilities, best practices, mitigations, issues that are by design or acceptable business risk to the customer such as use of CAPTCHAS.

Best Practice
"Best practice" type reports (e.g. DNSSEC, missing HTTP security headers, SPF, DKIM, DMARC, etc.).

In Scope Domains
The following domains are included in this program. 

In Scope Applications
The program is limited to the following applications.

PGP Key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP v1
xo0EXs//FgEEAPlqnRz+M9SLSFPoIeXUG94UbQQNfNK4VcFnS8m0i7gSdGXaBxEUYq9at0Tm7yYloKCJJd87P8yXbPYuWO13k9jQd+RSKcZ3U/mKiqqVQ/mbj4AUMUZ5MuODbgXAYo6ZoyeG3jbkSA76FZJaPuU5IiNJg0vu3MUfziYBoEYeCqd/ABEBAAHNIlN0ZWZhbm8gU3RyYXVzIDxzdGVmYW5vQHN0cmF1cy5pdD7CrQQTAQoAFwUCXs//FgIbLwMLCQcDFQoIAh4BAheAAAoJEKFMHcKGqG07J9QEAJ3OYwWQSdwtJzdn+1GFJfxe2RdiO4xE5RvbOhOOzazRMwNa+SzC5n+9tKTvKMeTu0aPBlO7+wtP6rZzM25m7NybdInUI9jbfpWegbf9pDvk4CmtoJs9Z4uRhQP8Y1j/QImVxoZgieV6ejN6FWDd00RLa0UTrCEhOTkoXik+IB6xzo0EXs//FgEEAKbv/lRT4gMCBIVnGsCfAhwUa7jeWt5uL6AJs2ZLTpNkU8hHp7bdNGuUtad94SFP555lh9vpvT+4/paUDFYXL7WuPbP1MyKzik2iQMkrax3LsKFPkocoPHsKPhIm3qzrdoSS5Tmz/TmYkAzriu8s2Raf5nbGLxmXh9OB/tocxQVPABEBAAHCwIMEGAEKAA8FAl7P/xYFCQ8JnAACGy4AqAkQoUwdwoaobTudIAQZAQoABgUCXs//FgAKCRB69uv+I2ZS8s9RBACNBVZI2CZf2QHC/1/7zwD2fi8VsEm19cPTvfajcNz9dvzDCTSexydmIFyK+1DKpBKSM+AkxzIgmkgkY2QLrXP/3eC+s7GOEhUl1RP4Pee/aztkUFgrHPrx7HZKyDs/c3ZNswiYXKJAXUds7oNduosasnOzsW5lopAq46SlUQtIwKCEBAC4Fkva/adT7TVgOKn1NfHqOHdxWGf0bZV2DoeVXY/yvtm/kgKwe49JLghcrwd6N1cZg/2swHD3Ttp0rxOqmlpp8Fq/lwyjOBlV581hDVub7MTvDTR5KH39nOmjku4uaBKL7D0FbpxoIHTRBMOGFKH8QP7AzVMB2gYxd+Z3Oi34q86NBF7P/xYBBAC5IhUh7wIbVLNzFc9UKnzh/Yl7+wlJ3Uz4GbADFn2mJrpMtsmzsFsYjfBZQWNRMtp9T9EpKCB4Gn8L7qGGhWDFD/5+qLE4JTCIc7nlZycSx6ZmX2bZzB91Bi6V6kGfxQ8uOqfpmE4iYbBfukrk8tmk9ynd26K+ItpuB0OSMnlXMQARAQABwsCDBBgBCgAPBQJez/8WBQkPCZwAAhsuAKgJEKFMHcKGqG07nSAEGQEKAAYFAl7P/xYACgkQZEpHarkCn+KTNwP6AkXQMYU1GLQ+dpFRtNXYUe9r1iEv5baivciBQuWcLjBOQWFTji20MJvl8XfnBPczb630fs9ddDGHmv2uipkcDAjX+28E21vVlfE2ue6IDfLSqSDQRdoNNOQDElFvxYKEGbYdUsRUBoApslH1g+RNl5ztWWAlWo+/1vQyJ5In1gyZZwQAkx0BdBLpczqFK6Hmz03gu3USwpsQ4pKmzrKzEptik4/ixjYn6dPD6T8rKGdFi8UHDU6yoB2brHOIL7xRDyOKtzxpRJTzweJeLZTLO4iz2PJVu302QgG/jjZsoNsrSN/vHTn+SEAm+ZAxcbwRWTDotpIoiW5PMxPzWZstFdxqtus==A4Hr
-----END PGP PUBLIC KEY BLOCK-----