Responsible Vulnerability Disclosure

This page is for security researchers who want to responsibly report vulnerabilities in Marigold’s public-facing products. We encourage the reporting of discovered vulnerabilities directly to us.

Responsible Disclosure Guidelines and Restrictions

While we encourage reporting of vulnerabilities directly, we participate in a responsible disclosure program hosted through Bugcrowd. This program offers a secure channel for independent researchers to report security issues and vulnerabilities to Marigold. Bugcrowd manages all communications with the researcher(s), vets the submission for accuracy and consistency with program testing boundaries and scope. If applicable, Bugcrowd administers payment of bounties for programs enrolled in a paid program.

 

The following provides procedures and guidelines to participate in our program:

  • Participation restrictions:
    • Researchers that are a current Marigold employee, having family members employed by Marigold, or are a current vendor or employee of such vendors used by Marigold or any of its subsidiaries.
    • Researchers from countries specifically sanctioned by OFAC (Cuba, Iran, Syria, North Korea, or the Crimea region of Ukraine).
    • Researchers designated as a Specifically Designated National or Blocked Person by the U.S. Department of Treasury’s Office of Foreign Assets Control or otherwise owned, controlled, or acting on behalf of such a person or entity.
    • Individuals otherwise prohibited under U.S. trade or export control laws.
  • Researchers must:
    • Comply with all applicable laws.
    • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
    • Must not copy any data than what is needed for inclusion to support a finding.  At no time are researchers authorized to disclose any personally identifiable information or other sensitive or restricted data outside of the bounty program.
    • Only use an exploit to confirm the existence of a vulnerability.  Researchers must not use an exploit to go beyond proving the vulnerability exists.
    • Not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to pivot to other systems unless specifically authorized by Marigold.
    • Not conduct any denial of service or other attack that degrades performance or user experience.
    • Not use social engineering tactics or techniques to identify or further exploit a vulnerability.
    • Receive approval from Marigold before releasing details of the vulnerability to the general public.

Reporting a Security Vulnerability

The process steps outlined below describe the steps used to engage with Marigold’s external vulnerability disclosure program and how submissions are triaged and processed.

  • Security researchers registered with Bugcrowd and enrolled in Marigold’s program.  Security researchers may also submit findings to our disclosure program by clicking the relevant product below or through the responsible disclosure links on the respective websites.
    • Marigold targets may be differentiated between both public and private programs. Public programs are offered to all researchers, and private programs are open to select researchers.
  • Researchers identify security vulnerabilities in one of our products and submit the report through the Bugcrowd platform containing the steps or evidence necessary to reproduce and remediate the issue.
  • Bugcrowd will review the evidence and if the issue is reproducible will set the priority of the issue ranging from P1 (highest) to P5 (lowest). Triaged issues may be classified in one of the following categories:
    • Duplicate:  the issue is already submitted by another researcher. In this situation, Bugcrowd will provide feedback through the Bugcrowd platform.
    • Unresolved:  issues accepted by Marigold will be classified as ‘unresolved’ and managed through our internal workflow.
    • Won’t Fix:  this is a classification where Marigold accepts the issue but is unable to remediate.  In the Bugcrowd platform, the issue will be marked appropriately to prevent future submissions.
    • Out of Scope:  the issue is identified as out of scope for the program. For submissions determined to be out of scope, Bugcrowd will provide feedback to the submitter.