Reporting a Security Issue
If you discover a security issue or vulnerability in an Acquia product or service, we ask that you report this to us confidentially.
Responsible Disclosure
At Acquia we take the security of our products very seriously. We educate our staff on security best practices and our development process includes quality assurance steps to ensure our products are of high quality and secure. However, like all complex software products, it is possible that a security vulnerability may be present in one of our products.
Please email the details to our security team at [email protected]. We appreciate responsible disclosure and will acknowledge security researchers when an issue has been reported, adhering to the following parameters.
Acquia does not currently have a bug bounty program in place, however we are happy to credit researchers with their name and a link to an address of their choosing (e.g. Twitter or personal website) on our Hall of Fame below.
Parameters and Exclusions
Parameters
- Do not access, destroy or negatively impact Acquia’s or its customers’ data in any way.
- Do not use automated scanners. (The use of automated scanners may result in investigative action and your IP being blocked.)
- You make a good faith effort to avoid privacy violations and interruption or degradation of Acquia’s services during your research. (e.g. Denial of Service)
- Do not conduct any type of physical or electronic attack against Acquia’s personnel, offices or data centers.
- You allow Acquia reasonable time to investigate your report and carry out any necessary remediation.
- Do not violate any laws or breach any prior agreements.
Exclusions
- Displayed server software banners or other version information.
- Descriptive error messages.
- Missing HTTP security headers. ( e.g. X-Frame-Options )
- Missing or incorrect SPF records.
- CSRF on forms that are available to anonymous users
- Username / email enumeration
- Disclosure of known public files. (e.g. robots.txt)
Acquia will not initiate legal actions against researchers, as long as they adhere to these parameters. Acquia reserves the right to only credit researchers who have reported an issue that is proven and of sufficient severity.
Submission Details
Please provide as many relevant details as you can, such as:
- How the vulnerability can be exploited and the potential impact.
- How you discovered the vulnerability and clear steps to reproduce.
- Any proof of concept attack and/or images showing the attack vector.
- Any known patches or controls to mitigate the vulnerability.
Security Hall of Fame
A special thanks to the following people that have responsibly disclosed vulnerabilities to Acquia in the past:
- Harshal Bafna - LinkedIn
- Bharat Adhikari | LinkedIn
- Mohit Kumar - LinkedIn
- Corrie Sloot - LinkedIn
- Ramlal - LinkedIn
- Smriti Chandravanshi - LinkedIn
- S M Tarikul Alam - LinkedIn
- Guillermo Gregorio - LinkedIn
- Gaurang maheta - LinkedIn
- Raghav Khandelwal | LinkedIn
- Tim Koopmans | Twitter
- Mansoor Rangwala | LinkedIn
- Ravi Pavan | LinkedIn
- Rachit Verma | LinkedIn
- Chris Davis | Twitter
- Vincenzo De Naro Papa | Twitter
- Marek Jílek | www.mjilek.cz
- Anshuman Pattnaik | Twitter, hackbotone.com
- Jubin Sharma | Twitter
- Sarvagya Sonkar | LinkedIn
- Naveen kumawat(nvk) | Twitter
- Ausaf Liaquat
- Amjad Kabaha - Facebook
- Prakash Kumar - LinkedIn
- Vishal Panchani (gujjuboy10x00) - Twitter
- Ronak Nahar (naharronak) - LinkedIn
- Chirag Gupta (chiraggupta8769) - LinkedIn
- Shoeb "CaptainFreak" Patel - Twitter
- Gokul Babu (gokul-babu-452b3b112) - LinkedIn
- Suhas Gaikwad (iamsuhasgaikwad) - Twitter
- S.Vijay (cracbaby) - Twintech Solutions - Facebook
- Fabio Pires (fabiopirespt) - Twitter
- Francesco Mifsud (gradiusx) - Twitter
- Cody Zacharias
- Kamil Sevi (kamilsevi) - Twitter
- Emanuel Bronshtein (e3amn2l) - Twitter
- M.R.Vignesh Kumar (vigneshkumarmr) - Twitter
- Prajal Kulkarni
- Himanshu Kumar Das (mehimansu) - Twitter
- Ajay Singh Negi
- Atulkumar Hariba Shedage
- Chiragh Dewan (ChiraghDewan) - Twitter
- Rafay Baloch (rafayhackingarticles.net)
- SimranJeet Singh
- Adam Ziaja (adamziaja.com)
- Piyush Malik (ThePiyushMalik) - Twitter
- Harsha Vardhan
- Wan Ikram (rinakikun) - Twitter
- Krutarth Shukla
- Narendra Bhati (narendradewsoft)- Facebook
- Ahmad Ashraff (yappare) - Twitter
- Tejash Patel & Parveen Yadav
- Joeri Poesen
- Vedachala (vedachalaka) - Twitter
- Sebastian Neef & Tim Schäfers
- internetwache - Twitter
- Vinesh Redkar (AVsecurity.in)
- Samandeep Singh
- Dhaval Chauhan (17haval) - Twitter
- Nitesh Shilpkar
- Umraz Ahmed (umrazahmed) - Twitter
- Ehraz Ahmed (securityexe) - Twitter
- Jigar Thakkar (Infobit Technologies)
- Tushar. R. Kumbhare (Defencely)
- Siddhesh Gawde
- Frans Rosén (www.detectify.com)
- Chirag Paghadal
- Yuji Kosuga (yujikosuga) - Twitter
- Rafael Pablos (silverneox.blogspot.com)
- Reegun Richard Jayapaul (reegun) - LinkedIn
- Nitin Goplani (nitingoplani) - LinkedIn
- Yogesh Modi
- Ali Hassan Ghori
- Turzo Ahmed
- Ashesh Kumar
- Muhammed Gamal Fahmy - Facebook
- Mandeep Singh Jadon
- Kiran Karnad
- Akshay Pandurangi - Facebook
- Somesh Yadav
- Naveen Ramesh
- Omar HAMMOU (https://hackerone.com/xramos)