Introduction
PaperCut accepts vulnerability reports allowing external security researchers to submit vulnerability information to us using our existing reporting process. The CVSS 3 system is to be used to identify severity of vulnerabilities submitted. This applies to all of PaperCut Software’s products and to the website https://papercut.com.
PaperCut reserves the right to make assessments regarding whether or not submissions are eligible for a fix or not. We will always credit you for your findings should you choose to be credited and if we release a “fixed” version. Based on assessments made by our Security team, we may also offer to add you to our Hall of Fame
Guidelines
Under this policy, "research" means activities in which you:
- Notify us as soon as possible after you discover a real or potential security issue.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
- Do not submit a high volume of low-quality reports.
Once you've established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else. You must delete the sensitive data and/or provide a copy to us if we ask you to do so.
Test Methods
The following test methods are not authorized:
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
- Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
Scope
This program is for finding vulnerabilities in our own PaperCut Software products and services for print management, as long as you've got lawful access to them.
This means:
- PaperCut MF™
- PaperCut NG™
- PaperCut Hive™
- PaperCut Pocket™
- The PaperCut Mobility Print™, QRdoc™ or PaperCut Views™ tools
- PaperCut Multiverse™
- Our website https://www.papercut.com
- And all other PaperCut products and services.
We also accept vulnerability information about our website PaperCut: Print management software but the vulnerabilities in the website are assessed and rewarded on a case by case basis.
While the aim of this program is to welcome any information that can be used to better identify bugs and vulnerabilities that get through to production, it does have a few guard rails in terms of what is out of scope. If you feel the vulnerability should still be considered, please reach out to us so we can consider them on a case by case basis.
If you’d like, you can use the CVSS calculator here (NVD - CVSS v3 Calculator ) to better understand the severity of the vulnerability that you’re providing us with information about.
Out of Scope
- All staging environments are out of scope of our Bug Bounty program.
- social engineering or phishing
- weak or insecure SSL ciphers or certificates
- denial of service (DOS)
- physical attacks against our organization, its employees or property belonging to us or our employees
- accessing, downloading, modifying, or disclosing data residing in an account that does not belong to you
- testing in a manner that would degrade the operation of PaperCutSoftware’s products
- testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of duplicative or unsolicited messages
- Testing third party websites, applications or services that integrate with our services or products
- Use of a known-vulnerable libraries or frameworks (e.g. outdated JQuery or AngularJS) without a valid attack scenario
- Issues related to brute forcing, rate limiting and other denial of service type attacks
- Issues related to mobile applications that require the host device to be either rooted or jailbroken
- Self-exploitation issues (such as self XSS, cookie reuse, self denial of service, etc.)
- Issues that rely on outdated or unpatched browsers and platforms to be abused
- Posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software that could impact our services, products or customers or any other party
How to Report
You can responsibly disclose potential security vulnerabilities to PaperCut Software by using our form here Report a security vulnerability or sign up for security notifications | PaperCut. Alternatively, if you want to encrypt your files before sending them to us, you may use our PGP key. We are only able to accept vulnerability reports in English.