Vulnerability disclosure policy
This Vulnerability Disclosure Policy applies to any vulnerability in our services and software that you consider reporting to Cognite. We recommend you take the time to read this entire policy and act according to it before disclosing any vulnerability. We value those who take the time and effort to report security vulnerabilities according to this policy. However, Cognite does not offer monetary (or non-monetary rewards) for vulnerability disclosures.
Reporting security vulnerabilities
If you believe you have found a security vulnerability, please report it to the following email address:
ext-security-disclosure at cognite.com
When reporting a vulnerability, please take the time to provide the following information:
- Website, IP, or page where the vulnerability can be observed (such as www.cognite.com).
- A brief description of the vulnerability (such as "cross-site scripting").
- Steps to reproduce. These should be a benign, non-destructive proof of concept.
- How to contact you for follow-up and request further information.
What to expect when reporting
After receiving the report, we will normally respond within five working days. We will normally perform triage within 10 working days. We'll also aim to keep you informed of our progress.
Priority for remediation is assessed by looking at the impact, severity, and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire about the status but should avoid doing so more than once every 14 days. This allows our teams to focus on remediation.
We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.
You should not:
- Break any applicable law or regulations.
- Access unnecessary, excessive, or significant amounts of data.
- Modify data in the Cognite's systems or services (or those of our customers or partners).
- Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
- Attempt any form of denial of service, e.g., overwhelming a service with a high volume of requests.
- Disrupt the services or systems of Cognite, our customers, or partners.
- Submit reports detailing non-exploitable vulnerabilities or reports indicating that the services do not fully align with "best practice," for example, missing security headers.
- Submit reports detailing TLS configuration weaknesses, for example, "weak" cipher suite support or the presence of TLS1.0 support.
- Communicate any vulnerabilities or associated details other than by means described in the published security.txt.
- Social engineer, "phish," or physically attack Cognite's staff or infrastructure or those of our customers or partners.
- Demand financial compensation to disclose any vulnerabilities.
- Always comply with data protection rules and not violate the privacy of any data Cognite holds. You should not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.
- Securely delete all data retrieved during your research as soon as it is no longer required or within one month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).
This policy is designed to be compatible with common vulnerability disclosure good practices. It does not permit you to act in any manner that is inconsistent with the law or which might cause Cognite, Cognite's customers, or Cognite's partners, to breach any legal obligations.