We take data security very serious in OnePageCRM. We have over 11,000 customers relying on us worldwide to keep their data safe and secure.
The OnePageCRM Development team consists of trusted and experienced developers that continuously evaluate our code and coding practices to recognize and shore up vulnerabilities.
OnePageCRM also entrust the services of professional 3rd party penetration testing personnel to test the OnePageCRM infrastructure on a regular basis.
To ensure security is at the highest of standards, we welcome responsible disclosure of any vulnerabilities that you or your security security researchers may find. OnePageCRM takes these issues seriously, and recognize the work of the white hat community in responsibly reporting any findings.
We request that if you’re submitting a report, please ensure it contains a detailed description of your findings with clear steps to reproduce the vulnerability. This will greatly assist our Development team in identifying and fixing the vulnerability as quickly as possible.
In assessing our application, we would like to bring your attention to the following to ensure our responsible disclosure principles are adhered to.
Principles of responsible disclosure include, but are not limited to:
- Access and expose customer data that is your own
- Avoiding scanning techniques that are likely to cause degradation of service to other customers (e.g. by overloading the site)
- Keep within the guidelines of our Terms Of Service
- Keep details of vulnerabilities secret until OnePageCRM has been notified and had a reasonable amount of time to fix the vulnerability
- If you suspect you’ve discovered a security bug or vulnerability in OnePageCRM, we encourage you to report it to us straight away
- We are most interested in vulnerabilities with app.onepagecrm.com and secure.onepagecrm.com
- Provide as many details as possible in your report
- We must be able to reproduce the security bug from your report
- This program does not allow for public disclosure of the vulnerability without expressed permission. If you wish to disclose the report, we require that you ask us first
- Authentication or authorization flaws
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF/XSRF)
- Mixed-content scripts
- Server-side code execution bugs
- Circumvention of our Platform/Privacy permissions model
- Denial of Service vulnerabilities (DOS)
- Do-it-yourself XSS
- Possibilities to send malicious links to people you know
- Security bugs in third-party websites that integrate with OnePageCRM
- Mixed-content scripts on onepagecrm.com
- Insecure cookies on onepagecrm.com
- Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible
- Username enumeration
- Previously reported bugs
- Brute force password cracking
- Logout cross-site request forgery
If you believe you have found a security vulnerability or have any security concerns, questions and comments please get in touch at firstname.lastname@example.org.