Reporting Elementum Security Issues
If you’ve found a security issue, thank you! We appreciate your help.
This page describes how we handle security issues and how to best contact us.
How Elementum Approaches
Security Issues
We know and understand that it is important to you that the issue is addressed promptly. It's important for us too. Once we confirm and triage the issue, we'll come up with a plan and let you know our expected timeline. We try to respond to issues within a few hours. Some issues, of course, might take longer.
We take security seriously, and we will make an effort to respond as fast as possible.
We will start working on reproducing the issue and will contact you if we need additional information to help us do so. We don't require require a proof of concept exploit or any proof of exploitability, but any information you can share up front is helpful.
We know and understand that it is important to you that the issue is addressed promptly. It's important for us too. Once we confirm and triage the issue, we'll come up with a plan and let you know our expected timeline. We try to respond to issues within a few hours. Some issues, of course, might take longer.
Once the issue is fixed, we'll deploy the patch.
Public Disclosure
While we evaluate and fix the issue, we respectfully ask that you hold off on publicly announcing any details until we can roll out a patch.
Depending on the severity of the issue, we usually wait 10 business days before contacting our stakeholders about the vulnerability in order to give all involved parties the opportunity to patch.
Bounties and Rewards
While we appreciate your help in disclosing potential issues in a responsible manner, at this time we don’t offer cash prizes or rewards.
Contacting Us
If you can, try to encrypt your email using our public PGP key (0x2dac5a112d2b1ba6 on http://pgp.mit.edu/). If not, please send us an email in plain-text.
Send any issues to whitehat@elementum.com. If you believe you found an issue but you’re not sure, email us anyway.
Elementum is committed to maintaining high ethical and professional standards in all its business dealings.
If you are uncomfortable speaking directly to your Elementum point of contact about a potential ethics issue at, or in your dealings with, Elementum, you can choose to submit it through this form.