Introduction to Esko Coordinated Vulnerability Disclosure
In June 2021, Esko launched version 1.1 of its Coordinated Vulnerability Disclosure (CVD) process, underscoring its commitment to maintaining the security and confidentiality of its digital products and assets. Esko places a strong emphasis on transparency within the industry, striving to enhance security standards not only for its own organization but also for its diverse clientele. This proactive approach to cybersecurity involves engaging with the security research community to identify and address potential vulnerabilities responsibly and efficiently.
Responsible Reporting of Vulnerabilities
If you believe you have discovered a security vulnerability within any of Esko's digital products or assets, Esko encourages you to report it promptly and responsibly by submitting a detailed vulnerability report to csir@esko.com. It is crucial to familiarize yourself with Esko's rules and guidelines before disclosing any potential vulnerabilities. By participating in the Esko CVD program, you agree to adhere to the established process and privacy policy. Remember that any information shared with Esko will be treated as non-proprietary and non-confidential, allowing Esko to utilize the information as needed to enhance security measures.
Reporting Guidelines and Requirements
When submitting a vulnerability report to Esko, ensure that your submission includes a clear description of the vulnerability, along with supporting evidence such as logs, screenshots, relevant responses, or other proof. Additionally, provide the date of discovery, your assessment of exploitability or impact, and an explanatory video demonstrating the discovery and exploitation process. Include details on the tools used, necessary user privileges, relevant platforms, IP addresses, URLs, and your contact information for secure communication.
Reward System and Important Considerations
Esko grants rewards at its discretion to the first reporter of a relevant vulnerability. In cases where a vulnerability affects multiple Esko products or assets, only one reward will be applicable. Submissions without an explanatory video or clear evidence may not qualify for rewards. Individuals on sanctions lists or residing in sanctioned countries are not eligible for rewards. Moreover, Esko employees and their family members are excluded from the CVD process. Esko does not respond to hoaxes, anonymous reports, non-actionable submissions, or reports lacking relevance to the company or its technologies.
Contact and Feedback
For any vulnerability information or feedback related to the Esko CVD program, you can contact Esko at csir@esko.com. Esko values suggestions and input from the security community to continuously enhance its cybersecurity measures. By collaborating with security researchers and experts, Esko aims to foster a culture of security and protection for both the company and its clients. Your contributions play a vital role in safeguarding Esko and its stakeholders from potential threats and vulnerabilities.