INDUSTRY REPORT: Game changing insights into subcontractor performance ratings → Access now

Reporting a possible security vulnerability

We take security seriously and strive to ensure the integrity of our application. We encourage responsible disclosure to help us maintain the highest level of security for our clients.

Guidelines

When performing security testing, exploration or analysis, please follow the below guidelines

  • Make every reasonable effort to avoid the following;
    • Service disruption (e.g. DoS).
    • Privacy violations (i.e. accessing customer’s data).
    • Data destruction.
  • Do not phish or social engineer employees or customers of ProcurePro.
  • Do not submit reports via automated emails or report unverified results from automated scanning tools or scripts.

Reporting a Vulnerability

If you have discovered a potential security vulnerability or weaknesses in our application, please reference the below points:

  1. Our Contact Information: Send an email to our dedicated security email address: infosecteam (at) procurepro.co
  2. Subject Line: Use a clear and concise subject line that describes the vulnerability. For example, "Security Vulnerability - [Brief Description]"
  3. Detailed Description: In the body of the email, provide a detailed description of the vulnerability. Include the following information:
  • A clear and concise explanation of the vulnerability.
  • The steps to reproduce the vulnerability.
  • Target URIs and example request & response pairs.
  • Any potential impact of the vulnerability.
  1. Attach supporting documents: If applicable, attach screenshots or a proof-of-concept that demonstrates the vulnerability. This will help us better understand and validate the issue.
  2. Protect sensitive or Personally Identifiable Information (PII): When sharing details of your research, please refrain from including any sensitive or personally identifiable information which may have been obtained. If such information is required as part of your report, let us know before sending it, so we can provide encryption keys or a more secure channel of communication.
  3. Your Contact Information: Include your name and contact information so that we can reach out to you for further clarification or to provide updates on the resolution progress.

What to Expect

After receiving your report, our security team will acknowledge it promptly and begin the investigation process. Here's what you can expect:

  1. Initial Response: You will receive an initial response from our security team acknowledging the receipt of your report. We may request additional information or clarification at this stage.
  2. Investigation: Our team will investigate the reported vulnerability to confirm its validity and assess its severity.
  3. Resolution: Once the investigation is complete, we will work to address and resolve the vulnerability. This may involve developing and testing a patch or fix.
  4. Communication: We will maintain open communication with you, and depending on time frames, may provide multiple updates on the status of the resolution.

Responsible Disclosure

We strongly encourage responsible disclosure. Please refrain from sharing or exploiting the vulnerability before it is resolved. We appreciate your cooperation in keeping our users' data and systems secure.

Reports submitted to ProcurePro are done so in good faith. By submitting information to us, you agree that the process does not create any rights for you or any obligations for ProcurePro. If necessary, we will coordinate with you to determine an appropriate timeline for public disclosure.

Furthermore, you agree the Information submitted will be considered non-proprietary and non-confidential and can be used in any manner by ProcurePro without any restriction.

Reward Program

We currently, do not have a paid bug bounty program - if you would like to participate in any future event or bug-hunt, please let us know and we will reach out to keep you updated.

To show our appreciation for high-quality responsible disclosures, we may offer a reward or a token of thanks to security researchers who report vulnerabilities in accordance with this process. Details of our reward program can be discussed on a case-by-case basis.

Thank you for helping us ensure the security of ProcurePro. Your vigilance and cooperation are essential in maintaining a safe and secure environment for our product.

If you have any questions or need further assistance, please don't hesitate to reach out via the email listed above.