Conga Vulnerability Disclosure Program

Software security researchers are increasingly engaging with companies with an online presence to find vulnerabilities in public-facing applications. The Conga Vulnerability Disclosure program acknowledges the skills of these researchers and recognizes them for their efforts and reasonable disclosure for vulnerabilities unknown to Conga.  

If you have found a vulnerability, please report it with this form.

You can find useful information in the following sections to assist you further:    

  1. Rules 
  1. Ineligible submissions 
  1. Terms of Service 
  1. Legal safe harbor 
  1. Performing your research 
  1. Handling PII 
  1. Reporting your vulnerability
  1. Recognition

Report Vulnerability

Rules

Before you start, please read and keep the following in mind: 
 

  • There is no financial reward for participating in the Program. Please do not request any financial reward for any disclosure reports.
  • Conga maintains a list of known bugs and vulnerabilities which we will refer against and reporting a prior known item will be classified as ineligible. Submissions which are ineligible will be closed as Not Applicable.  
  • Do not attempt to perform any Denial-of-Service attacks and Distributed Denial of Service attacks. Any attempts made will disqualify you from the program.
  • Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, customers, users, or infrastructure.  
  • By participating in Conga’s Vulnerability Disclosure program, you acknowledge that you have read and agree to Conga’s Terms of Service as well as the following:  
     
    • Your participation in the Program will not violate any applicable laws or disrupt or compromise any data that is not your own.  
    • Confidentiality: Please keep all information regarding discovered vulnerabilities confidential until we have confirmed resolution and granted permission for public disclosure. This includes refraining from disclosing the vulnerability to third parties or publishing information about it on public forums or social media.  
    • Communication Channels: Vulnerability reports should be submitted through the procedure described in this policy. Please refrain from contacting individual employees or other channels for vulnerability disclosure. Further information can be requested at vulnerabilitydisclosure@conga.com.
    • Public Disclosure: Once the vulnerability has been confirmed and resolved, we will coordinate with you to determine an appropriate timeline for public disclosure. We may request a delay in public disclosure to allow us to implement and test patches across all affected systems.  
  • Conga reserves the right to pursue appropriate legal recourse in the event of violations of this policy, applicable laws, and/or the introduction of malicious software or any other harmful elements into its products or infrastructure.  
  • Conga reserves the right to terminate or suspend the Program at its discretion and modify or update the Rules.  

Ineligible Submissions

There are some circumstances where we consider a reported vulnerability ineligible for recognition, either because the feature is working as intended or we accept the low risk as a security/usability tradeoff:  
 

  • Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for recognition.
  • Anything not directly exploitable, such as:
     
    • Security best practice violations.
    • Email/username enumeration.
    • Missing cookie flags.  
  • Vulnerabilities that require an already compromised system such as:
     
    • Jailbreaking a mobile device.
    • Compromised email account.
  • Incomplete or missing SPF/DKIM/DMARC records.  
  • Clickjacking on pages with no sensitive actions.  
  • Attacks where the impact is confined to the attacking user, meaning the effects are limited solely to the individual who initiates the attack (known as self-attacks). 

Conga Terms of Service

Please read the Terms of Service agreement carefully before accessing or testing Conga Applications. As this is an important agreement between us and our users, we have tried to make it as clear as possible.

Read now

Legal Safe Harbor

  • We consider security research and vulnerability disclosure activities conducted consistent with this policy as “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c). We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the applications in this vulnerability disclosure program’s scope.  
  • We want you to coordinate disclosure through our vulnerability disclosure program, and don’t want researchers to be put in fear of legal consequences because of their good faith attempts to comply with our vulnerability disclosure policy. We cannot bind any third party, so do not assume this protection extends to any third party. If in doubt, ask us before engaging in any specific action you think might go outside the bounds of our policy.  
  • Because both identifying and non-identifying information can put a researcher at risk, we limit what we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc.) with a third party if you give your written permission.  
  • If your security research as part of the vulnerability disclosure program violates certain restrictions in our site policies, the safe harbor terms permit a limited exemption. 

Performing Your Research

  • Do not impact other users with your testing; this includes testing vulnerabilities in repositories or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.  
  • Social engineering, including phishing against employees.  
  • Efforts to take over social media pages.
  • Attempts to access private customer information or accounts.  
  • Attempts to access offices, employee devices, or test physical security controls.
  • We recommend using your own email address for any account that you use to perform security research and testing. Clearly identifying accounts that are associated with vulnerability research helps our teams to differentiate between possibly malicious activity and that of researchers involved in our vulnerability disclosure program. Please note that adding your email address does not provide any exemptions to our Terms of Service or permit you to act beyond our program's rules and scope.  
  • The following are never allowed and are ineligible for recognition. We may revoke your ability to receive recognition for any reported vulnerabilities and ban your IP address for:  
     
    • Exploiting a vulnerability in any way
    • Performing distributed denial of service (DDoS) or other volumetric attacks  
    • Spamming content  
    • Tools which produce excessive amounts of traffic. Note: We do allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one Nmap scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive. 

Handling Personally Identifiable Information (PII)

  • Personal identifying information (PII) includes:  
     
    • legal and/or full names  
    • names or usernames combined with other identifiers like phone numbers or email addresses  
    • health or financial information (including insurance information, social security numbers, etc.)  
    • information about political or religious affiliations  
    • information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes  
  • If you discover PII during your research, please report this vulnerability to Conga immediately. Once this has been reported, you must delete all your local, stored or cached copies of the data containing PII as soon as possible. You must also not share the PII you have discovered with anyone besides Conga, including public disclosure. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed.
  • We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability. 

Reporting Your Vulnerability

Vulnerability submissions should include the following information to be considered for recognition: 
 

  • Your full name and email  
  • URL for identified vulnerability  
  • Vulnerability type  
  • Estimated severity (including estimated CVSS Score)
  • Written instructions, proof of concept for reproducing the vulnerability  
  • Disclosure plans if applicable (post vulnerability remediation/recognition)  


Please note that it may take time to investigate and resolve the issue you have reported. 

Recognition

The Conga Vulnerability Disclosure Program does not offer financial rewards for vulnerability reports. Any demands for payment/financial rewards will be ignored, and you will be disqualified from receiving recognition. If the vulnerability you report has already been notified to us, unfortunately no recognition will be given.


Recognition will be in the form of a certificate denoting your support for Conga’s Vulnerability Disclosure Program.


For further information, please email vulnerabilitydisclosure@conga.com and we will respond to your query as soon as possible.