contact us at security@onequince.com
Responsible Disclosure
This page is for security researchers to report security vulnerabilities to Quince in an ethical and responsible manner.
At Quince, ensuring cybersecurity is our topmost concern. We maintain a strong dedication to safeguarding the confidentiality, integrity, and availability of data, information, and information systems. As we strive to attain an exceptional level of security, we recognize that external vulnerabilities can arise from anyone at any given moment. Consequently, we aim to leverage the expertise of external security researchers in our quest to enhance our overall security posture. Hence we have established a Vulnerability Responsible Disclosure Policy to provide clear guidelines to security researchers so that they can report vulnerabilities in an ethical and responsible manner and be part of our journey to create a secure environment.
Responsible Disclosure Guidelines:
Please read the below guidelines to understand the policy.
Scope:
Any vulnerabilities with a demonstrated impact that affects confidentiality, integrity, and availability of data, information, and information systems related to the Quince platforms (*.quince.com, *.onequince.com)
Out of Scope:
Any vulnerability with low impact. For example - Clickjacking/UI redressing, Lack of SSL or Mixed content, Self XSS, Vulnerabilities affecting users of outdated browsers, plugins, or platforms, and Outdated 3rd party libraries with no direct exploit. Note - This list is not limited to this.
Any duplicate vulnerability.
Rules of Engagement
Usage of high-load automated scanners or conducting Denial of Service (DoS) testing is strictly prohibited.
Do not conduct any tests that may result in data loss, disruption, or degradation of Quince services and systems.
Conduct testing exclusively using accounts that belong to you and are designated for personal or testing purposes.
Do not run any test that modifies sensitive data such as personally identifiable information, Quince intellectual property, or sensitive data other than yours.
Do not engage in social engineering or phishing of customers or employees.
Please refrain from disclosing or publishing your findings on the internet or through any other means.
Exploiting vulnerabilities discovered during testing is not permitted without permission.
While reporting vulnerabilities, please share a clear report that includes a description, proof of concept, and detailed steps required to reproduce the vulnerability.
Reporting a vulnerability responsibly
If you have found any potential security vulnerability on our platform, we encourage you to report the issue to us responsibly and adhere to the 'Responsible Disclosure Guidelines'. You can submit a report to us at security@onequince.com with detailed steps required to reproduce the vulnerability.
Hall of fame
We extend our heartfelt appreciation to individuals who responsibly disclose vulnerabilities to us. We acknowledge and highly value their invaluable contribution to strengthening the security of our products and services to create a secure ecosystem. As a gesture of recognition, we proudly showcase these contributors in our esteemed Hall of Fame and provide certificates of appreciation.
We would like to thank the following people for making eligible vulnerability responsible disclosure to us: - Kader Harsith Mohamed Kani