Forrester logo

|

The Forrester Wave™: Supplier Value Management Platforms, Q3 2024    See Report

Ivalua

Vulnerability Disclosure Guidelines

Introduction

At Ivalua, while we do not give permission to actively audit our infrastructure, we do encourage responsible disclosure of any vulnerabilities that may be found in our systems or applications. These guidelines provide guidance on how to disclose vulnerabilities responsibly and outlines what you can expect from us in terms of a response.

Scope

These guidelines apply to any digital assets owned, operated, or maintained by Ivalua, including, but not limited to, websites, applications, and databases. No authorization is given with respect to the activities described below as excluded (see “Exclusions”).

These guidelines do not apply to existing Ivalua customers or Authorized Users. If you are an Authorized User, vulnerability security testing and disclosure rights and restrictions are only as expressly set forth in your Organization’s agreement with Ivalua.

How to Disclose a Vulnerability

To disclose a security vulnerability, please follow these steps:

  • Email Your Findings: Send an email to [email protected].
  • Provide Detailed Information: Include as much information as possible about the vulnerability, such as:
    • The URL or location of the vulnerability.
    • A detailed description of the vulnerability.
    • Steps to reproduce the vulnerability (Proof of Concept scripts or screenshots can be helpful).
    • Any potential impacts of the vulnerability.
    • Keep It Confidential: Do not disclose the vulnerability to others until we have had a chance to investigate and address it.

What to Expect After Reporting a Vulnerability

  • Acknowledgment: We aim to acknowledge receipt of your report.
  • Communication: If deemed appropriate, we will maintain communication with you regarding the status of your report.
  • Assessment and Validation: Our internal teams will assess and validate the reported vulnerability.
  • Remediation: We will evaluate reported findings and remediate/mitigate validated vulnerabilities in accordance with our internal policies and processes.
  • Disclosure: If required, we will coordinate with you on the timing and details of any public disclosure.

Exclusions

These guidelines do not constitute a waiver of any rights Ivalua would have under applicable law. Please be advised that engaging in testing or encouraging others to test a third-party’s systems without permission is generally considered unauthorized access under various laws, such as the Computer Fraud and Abuse Act (CFAA) in the United States and similar laws in other jurisdictions. This can lead to criminal and civil liabilities for both the organizers and the participants of any form of unauthorized security testing.

As a consequence, the following testing methods are not authorized:

  • Denial of service (DoS or DDoS) attacks.
  • Physical attacks against our offices or data centers.
  • Social engineering and spam attacks against our employees, contractors, or customers.
  • Automated scanning of Ivalua assets.
  • Any other activity that could disrupt, damage, or harm our users or services.
  • Login attempts by non-Authorized Users to Ivalua systems.
  • Attempts to exploit any identified or reported vulnerability.

Contact Information

For any reporting and/or questions regarding this policy or the reporting process, please contact [email protected].