AppOmni Responsible Disclosure Policy
At AppOmni, our mission is Securing the Applications that Power the Enterprise. In pursuit of that mission, AppOmni believes vulnerability disclosure requires responsibility from both security researchers and software vendors. AppOmni through AO Labs regularly conducts research on SaaS security misconfigurations and related vulnerabilities in SaaS applications. The goal of this research is to create better security outcomes for our customers, and continue to elevate SaaS Security across the industry.
This policy outlines AppOmni’s disclosure process for vulnerabilities that are discovered during SaaS security research.
1. Definitions
As part of this disclosure policy, it is important to understand the difference between a vulnerability and a misconfiguration. Both can result in critical security gaps, but there are key differences that can affect how information is disclosed.
Vulnerability – A vulnerability is a weakness, flaw, or error found within a vendor’s software or platform that creates a security risk and has the potential to be exploited. Vulnerabilities require changes by a vendor, and relevant to SaaS applications, end-users or customers of a SaaS service do not have the ability to mitigate the vulnerability themselves.
Misconfiguration – a misconfiguration is a risk or security gap that is the result of an application setting or configuration that is under the control of the user. Specific configurations may result in security risks and are usually from an improper or incorrect use of a platform. In these scenarios, customers have the ability to mitigate this risk themselves by adjusting a configuration or control in the application.
These are the definitions that AppOmni and AO Labs use in conjunction with its research and findings and may affect the disclosure process.
2. Disclosure Process
When vulnerabilities are discovered in third-party SaaS applications, AppOmni will notify the vendor immediately with technical details through the official disclosure channels of the vendor. Public disclosure of findings will be withheld for 90 days from notification to allow adequate time for investigation and remediation by the vendor.
All AppOmni research is conducted in good faith with a primary focus on improving security outcomes for SaaS users. We primarily identify configuration-based risks in SaaS applications. Any discovered vulnerabilities outside this core research area are incidental findings.
The 90-day disclosure deadline may be adjusted under the following circumstances:
- If the deadline falls on a weekend or US public holiday, it will be moved to the next business day.
- If the vendor communicates a patch release date within 14 days before the deadline, AppOmni will delay public disclosure until the vendor’s patch is available.
- For active 0-day exploits unknown to the vendor, AppOmni may shorten the disclosure deadline as necessary. An accelerated timeline may be required to promptly alert companies of the vulnerability so they can take mitigating actions while a patch is developed.
AppOmni reserves the right to adjust disclosure timelines as deemed necessary based on unique circumstances. However, all software vendors will be treated equally in the disclosure process.
Reporting and disclosure on misconfigurations does not necessarily follow the above process as these are risks that can be remediated by users and generally offer technical guidance on how to mitigate the risks.
The goal of this policy is to responsibly disclose vulnerabilities to protect customers while allowing reasonable time for vendors to patch flaws. We believe open communication and cooperation best serve all parties.