Reporting a Security Issue

If you discover a security issue or vulnerability in an Acquia product or service, we ask that you report this to us confidentially.

Report a Security Issue

Writing on the board - having a plan
Writing on a board - making a plan
Writing on a board - making a plan
navy and pink line art of a knight with a shield with a lock on it and a castle in the background

Responsible Disclosure

At Acquia we take the security of our products very seriously. We educate our staff on security best practices and our development process includes quality assurance steps to ensure our products are of high quality and secure. However, like all complex software products, it is possible that a security vulnerability may be present in one of our products.

Please email the details to our security team at [email protected]. We appreciate responsible disclosure and will acknowledge security researchers when an issue has been reported, adhering to the following parameters.

Acquia does not currently have a bug bounty program in place, however we are happy to credit researchers with their name and a link to an address of their choosing (e.g. Twitter or personal website) on our Hall of Fame below.

Parameters and Exclusions

Parameters

  • Do not access, destroy or negatively impact Acquia’s or its customers’ data in any way.
  • Do not use automated scanners. (The use of automated scanners may result in investigative action and your IP being blocked.)
  • You make a good faith effort to avoid privacy violations and interruption or degradation of Acquia’s services during your research. (e.g. Denial of Service)
  • Do not conduct any type of physical or electronic attack against Acquia’s personnel, offices or data centers.
  • You allow Acquia reasonable time to investigate your report and carry out any necessary remediation.
  • Do not violate any laws or breach any prior agreements.

Exclusions

  • Displayed server software banners or other version information.
  • Descriptive error messages.
  • Missing HTTP security headers. ( e.g. X-Frame-Options )
  • Missing or incorrect SPF records.
  • CSRF on forms that are available to anonymous users
  • Username / email enumeration
  • Disclosure of known public files. (e.g. robots.txt)

Acquia will not initiate legal actions against researchers, as long as they adhere to these parameters. Acquia reserves the right to only credit researchers who have reported an issue that is proven and of sufficient severity.

Submission Details

Please provide as many relevant details as you can, such as:

  • How the vulnerability can be exploited and the potential impact.
  • How you discovered the vulnerability and clear steps to reproduce.
  • Any proof of concept attack and/or images showing the attack vector.
  • Any known patches or controls to mitigate the vulnerability.
line art of a shield
Thank You

Security Hall of Fame

A special thanks to the following people that have responsibly disclosed vulnerabilities to Acquia in the past:

  • Ausaf Liaquat
  • Amjad Kabaha - Facebook
  • Prakash Kumar - LinkedIn
  • Vishal Panchani (gujjuboy10x00) - Twitter
  • Ronak Nahar (naharronak) - LinkedIn
  • Chirag Gupta (chiraggupta8769) - LinkedIn
  • Shoeb "CaptainFreak" Patel - Twitter
  • Gokul Babu (gokul-babu-452b3b112) - LinkedIn
  • Suhas Gaikwad (iamsuhasgaikwad) - Twitter
  • S.Vijay (cracbaby) - Twintech Solutions - Facebook
  • Fabio Pires (fabiopirespt) - Twitter
  • Francesco Mifsud (gradiusx) - Twitter
  • Cody Zacharias
  • Kamil Sevi (kamilsevi) - Twitter
  • Emanuel Bronshtein (e3amn2l) - Twitter
  • M.R.Vignesh Kumar (vigneshkumarmr) - Twitter
  • Prajal Kulkarni
  • Himanshu Kumar Das (mehimansu) - Twitter
  • Ajay Singh Negi
  • Atulkumar Hariba Shedage