Vulnerability disclosure policy
This Vulnerability Disclosure Policy applies to any vulnerability in our services and software that you consider reporting to Cognite. Please read this entire policy and adhere to its guidance before disclosing any vulnerability.
We value those who take the time and effort to report security vulnerabilities according to this policy. However, Cognite does not offer monetary (or non-monetary rewards) for vulnerability disclosures.
Reporting security vulnerabilities
If you believe you have found a security vulnerability, please report it to the following email address:
ext-security-disclosure at cognite.com
When reporting a vulnerability, please provide the following information:
- Website, IP, or page where the vulnerability can be observed (such as www.cognite.com).
- A brief description of the vulnerability (such as "cross-site scripting").
- Steps to reproduce. These must be non-damaging and non-destructive.
- How to contact you for follow-up and request further information.
What to expect when reporting
After receiving the report, we will typically respond within five working days and perform triage within ten working days. We'll also aim to keep you informed of progress.
Priority for remediation is assessed by looking at the impact, severity, and complexity of the exploit. Vulnerability reports might take time to triage or address. You are welcome to enquire about the status, but you should only do so once every 14 days to allow us to focus on remediation.
We will notify you when the reported vulnerability is remediated.
You should not:
- Break any applicable laws or regulations.
- Access unnecessary, excessive, or significant amounts of data.
- Modify data in Cognite's systems or services, or data in our customer's or partner's systems or services.
- Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
- Attempt any form of denial of service, for example, overwhelming a service with a high volume of requests.
- Disrupt the services or systems of Cognite, our customers, or partners.
- Submit reports detailing non-exploitable vulnerabilities or reports indicating that the services don't fully align with "best practice," for example, missing security headers.
- Submit reports detailing TLS configuration weaknesses, for example, "weak" cipher suite support or the presence of TLS1.0 support.
- Communicate any vulnerabilities or associated details other than by means described in the published security.txt.
- Social engineer, phish, or physically attack Cognite's staff or infrastructure or those of our customers or partners.
- Demand financial compensation to disclose any vulnerabilities.
- Always comply with data protection rules and avoid violating the privacy of any data Cognite holds. For example, don't share, redistribute, or fail to secure data retrieved from the systems or services.
- Securely delete all data retrieved during your research as soon as it's no longer required or within one month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).
This policy is designed to be compatible with standard vulnerability disclosure good practices. It doesn't permit you to act in any manner that's inconsistent with the law or which might cause Cognite, Cognite's customers, or Cognite's partners, to breach any legal obligations.