Trend Micro Cloud One™ – Conformity Responsible Disclosure
Security is at the heart of Conformity. Our customers put their trust in our platform to help secure their cloud infrastructure. We care deeply about our customers and need to ensure that the platform is secure to use and protected from bad actors.
We believe that an effective way to achieve this goal is through collaboration with the independent security community. If you are a security researcher and have discovered a vulnerability in our platform, let us know by submitting your findings using the form below. Before submission, please take a look at the reporting and non-compliance guidelines.
We appreciate the time and effort you take to make Conformity safer!
Reporting
Conformity will review each submission to determine if the finding is valid and has not been previously reported. We recommend that all submissions have detailed steps for our security team to accurately reproduce the vulnerability. Feel free to provide screenshots in addition to the written-steps to help us further understand the security issue. An example reporting template is shown in the form below.
Non-compliance
Public disclosure of submission details without explicit written consent from Conformity will deem the submission as noncompliant with this Responsible Disclosure Policy.
You are prohibited from:
- Accessing, downloading or modifying data that does not belong to you (please sign up for a free trial here for security testing purposes).
- Denial of Service attacks.
- Testing in a manner that would result in the sending of unsolicited or unreasonable large number of messages to our customers and internal staff.
- Testing third-party applications, websites or services that integrate with the Conformity platform.
You are prohibited from:
- Content Spoofing.
- User/Email Enumeration.
- Bruteforcing Authentication.
- Rate limit testing on login or API requests.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack.
- Submissions about old framework versions.
Submissions that involve taking prohibited actions or include out-of-scope areas will be marked as noncompliant.