Vulnerability Disclosure Program
Purpose of the Program
Gradient MSP is committed to protecting the trust our customers and partners place in us by granting access to their data. Our system security ensures that we can continue to provide services that our customers depend on.
The security researcher community regularly makes valuable contributions to the security of organizations and the broader Internet, and Gradient MSP recognizes that fostering a close relationship with the community will help improve our own security. If you have information about a vulnerability in our services, we want to hear from you!
Authorization
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized we will work with you to understand and resolve the issue quickly, and Gradient MSP will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.
Program Scope
Any web-accessible service that is owned by Gradient MSP and handles customer data is in scope for the program.
Vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any).
Rules and Expectations
- Notify us as soon as possible after you discover a real or potential security issue.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence.
- Do not perform denial of service attacks, or any other attacks designed to degrade Gradient MSP’s service.
- Do not spam web contact forms.
- Do not download, modify, or delete any data and only view data required to confirm the presence of a vulnerability.
- Do not publicly disclose or discuss vulnerabilities outside of the scope of the program without written consent from Gradient MSP.
- Submit one vulnerability per report, unless chaining is required to demonstrate impact.
Expectations of Gradient MSP
- Initial response and triage within 5 business days.
- Maintain an open dialogue for communication.
- Strive to remediate valid findings within 90 days.
- Recognition of your contribution if you are the first to report a significant vulnerability.
Out-of-Scope Vulnerabilities
The following vulnerabilities are considered out of scope for the program:
- Vulnerabilities requiring physical access to a user’s device.
- Missing best practices in SSL/TLS configuration, security headers, content security policy, HTTPOnly flags, etc.
- Missing email or DNS best practices (SPF/DKIM/DMARC, DNSSEC, etc.).
- Version disclosure (banner identification, descriptive error messages, etc.).
- CSRF on unauthenticated forms.
- Disclosure of well-known files (robots.txt, etc.).
- Vulnerabilities that require phishing or social engineering.
- Vulnerabilities that contain only output from automated scanners without a working proof of concept.
Reporting Process
To report a security vulnerability to Gradient MSP, email us at disclosure@meetgradient.com, including as much of the following information as possible.
- A description of the issue and list of systems identified as impacted.
- Screenshots or video of the issue.
- Step-by-step instructions to reproduce. Include any scripts, exploit code, arguments passed to tools, etc.
- Optional: Contact Information.