Support portal

Vulnerability Disclosure Policy for Celiveo

Celiveo, a leading Secure Print and Document Management SaaS publisher, is committed to maintaining the highest standards of security for our cloud-based services, applications, and infrastructure. We recognize that vulnerabilities can exist in any system and value the contributions of security researchers and ethical hackers in identifying and reporting them. This Vulnerability Disclosure Policy (VDP) provides clear guidelines for conducting vulnerability research and reporting potential issues to us, ensuring a collaborative and safe process for all involved.

This policy is designed to foster a positive relationship with the security community while protecting our users, data, and systems. It outlines the scope of authorized research, reporting procedures, and our commitments to handling reports responsibly.

Authorization and Safe Harbor

If you conduct security research in good faith and comply with this policy, Celiveo considers your activities authorized. We will not pursue or recommend legal action against you for such research. This includes protection against claims related to circumvention of technological measures under laws like the Digital Millennium Copyright Act (DMCA), provided your actions align with this policy. Should a third party initiate legal action against you for compliant activities, we will make this authorization known to relevant parties.

To qualify for this safe harbor:

• Your research must not violate privacy, disrupt services, or cause harm to Celiveo, our customers, or any third parties.
• You must promptly report any discovered vulnerabilities without exploiting them beyond what's necessary for verification.
• You agree not to disclose the vulnerability publicly until we have had a reasonable time to address it.

Guidelines for Research

We encourage responsible vulnerability discovery. Under this policy, authorized research includes activities where you:

• Notify us immediately on https://support.celiveo.com upon discovering a vulnerability or encountering sensitive data (e.g., personally identifiable information, financial data, or proprietary information).
• Limit exploitation to the minimum required to confirm the vulnerability—do not compromise, exfiltrate, or manipulate data; establish persistent access; or pivot to other systems.
• Avoid actions that could degrade user experience, disrupt production environments, or destroy data.
• Refrain from submitting high volumes of low-quality reports.
• If sensitive data is encountered, stop testing immediately, notify us, and do not share or retain the data.

The following test methods are explicitly not authorized:

• Denial-of-service (DoS/DDoS) attacks or any tests that impair system access or performance.
• Physical security testing, social engineering (e.g., phishing), or non-technical attacks.
• High-intensity scanning or fuzzing that could overload systems.
• Attacks on non-Internet-facing systems, such as internal networks or workstations.
• Installation of persistent backdoors or malware.
• Spamming, metadata extraction from assets, or theoretical attacks without realistic exploit scenarios.

Issues without direct security impact, such as missing security headers, weak TLS configurations, or absence of best practices (e.g., DKIM/SPF records), are out of scope and will not be considered.

Scope

This policy applies to all Celiveo owned and operated SaaS platforms, including:

• Our primary domains: *.celiveo365.com and *.celiveo.cloud (including any subdomains).
• Public-facing APIs and web applications hosted on our infrastructure.
• Mobile applications published under Celiveo in official app stores.
• Source code repositories publicly available on platforms like GitHub under our organization (e.g., github.com/celiveo/*).

Excluded from scope:

• Third-party services or vendors (e.g., cloud providers like Azure or integrated tools); report vulnerabilities directly to them per their policies.
• Any systems not explicitly listed; if unsure, contact us before testing.
• Customer-specific instances or data unless explicitly authorized.

We may expand this scope over time and will update the policy accordingly. For now, focus active research only on in-scope assets. Vulnerabilities in out-of-scope systems should not be tested under this policy.

Reporting a Vulnerability

Please submit reports via our secure web form at https://support.celiveo.com. Anonymous submissions are accepted and encouraged—we do not require personal information, though providing contact details allows us to follow up if needed.

In your report, include:

• A detailed description of the vulnerability, including its location (e.g., URL, API endpoint) and potential impact.
• Steps to reproduce, including any non-destructive proof-of-concept code, screenshots, or scripts.
• Affected systems or versions.
• Any relevant technical details (e.g., CVE references if applicable).

We prefer reports in English but will accommodate others where possible. For sensitive information, use our HTTPS-secured form.

By submitting, you acknowledge no expectation of payment, though we may recognize significant contributions through our Hall of Fame or non-monetary rewards (e.g., swag or credits).

If your report involves vulnerabilities affecting multiple parties (e.g., open-source dependencies), we may share anonymized details with relevant organizations, such as the Cybersecurity and Infrastructure Security Agency (CISA), for coordinated disclosure.

What to Expect From Us

We commit to handling reports transparently and efficiently:

• Acknowledgment: We will confirm receipt within 3 business days.
• Triage and Validation: We aim to validate and prioritize the issue within 5-10 business days, based on severity (using CVSS scoring).
• Remediation: We will provide updates on progress and an estimated timeline for resolution. Critical issues will be addressed as quickly as possible.
• Resolution: Once fixed, we will notify you (if contact info is provided) and may invite you to verify the fix.
• Public Disclosure: We request you coordinate any public release with us to ensure unified guidance. Typically, we allow disclosure 90 days after initial report, or sooner if resolved.
• CVE publication for third-party vulnerabilities: We will not publish our own CVE or detailed public advisory until the upstream library supplier has assigned/published their CVE (or declined to do so). This helps protect the wider community of users depending on the same component.

For reports involving third-party components, our timeline depends on upstream response times. We will keep you informed of progress where possible.

We prioritize based on impact, exploitability, and complexity. While we strive for quick resolutions, complex issues may take longer—please allow at least 14 days between status inquiries.

Recognition and Rewards

For valid, high-impact reports, we offer:

• Inclusion in our Security Hall of Fame (with your consent).
• Non-monetary rewards, such as branded merchandise or security tools

We do not offer bug bounties at this time but may introduce them in the future.

Legal Considerations

This policy does not grant permission for illegal activities or breaches of applicable laws. It is compatible with common vulnerability disclosure best practices and aims to protect researchers acting in good faith. Celiveo reserves the right to modify this policy; changes will be posted here with a version history.

Questions and Updates

For questions or suggestions, open a ticket on https://support.celiveo.com.

Document Change History

Thank you for helping secure Celiveo's services—we appreciate your efforts in making our platform safer for everyone.