Skip to main content

Vulnerability Disclosure Policy

Introduction

A Vulnerability Disclosure Policy is designed to provide ethical hackers with clear guidelines for submitting potentially unknown and harmful vulnerabilities to our company.

Areas of application

The scope of application includes the following products, cloud services and websites provided by JobRouter AG.

JobRouter Products

JobRouter products in the scope include:

  • JobRouter® App
  • JobRouter® Digitization Platform

Important information on the scope of JobRouter products

  • User case 1: If you have your own user account in the associated JobRouter product and have identified a security vulnerability in this product, you are allowed to reproduce this test case, provided you are authorized to use it.
  • User case 2: If user case 1 does not apply, the investigation of security vulnerabilities must be carried out via a separate test user account. If you cannot reproduce a vulnerability using a test user account, you are allowed to use a real account, provided you are authorized to use it (this does not apply to automatic penetration tests).
  • In both cases, the requirements of sections Out of Scope and Prohibited Actions must also be followed.

JobRouter Cloud Services

JobRouter Cloud Services is a synonym for JobRouter® Cloud.
JobRouter Cloud Services in the scope include:

  • JobRouter® Cloud SaaS (https://*.jobrouter.cloud, *.test.jobrouter.cloud), previously JobRouter® Small Business Cloud, JobRouter® Business Cloud and JobRouter® Enterprise Cloud
  • JobRouter® Demo Cloud (https://*.demo.jobrouter.cloud)
  • JobRouter® Templates Cloud (https://templates.jobrouter.com)
  • JobRouter® Sign Cloud (https://jobroutersign.jobrouter.cloud, jobroutersign.test.jobrouter.cloud)
  • JobMind Cloud (https://jobmind.jobrouter.cloud, jobmind.test.jobrouter.cloud)
  • JobRouter® Office Online Endpoint (https://*.wopi.jobrouter.cloud)
  • JobRouter® Remote DB (https://remotedb.jobrouter.cloud, https://remotedb.test.jobrouter.cloud)

Important information on the scope of JobRouter Cloud Services

Services for JobRouter customers and JobRouter AG itself are provided and operated in the JobRouter® Cloud.
This means for the disclosure of security vulnerabilities, that:

  • You must have written approval from the customer or JobRouter AG.
  • JobRouter® Cloud customers can authorize the penetration tests of their own applications.
  • No data of the respective test / user account may be modified or accessed without the express written consent of the customer or JobRouter AG and the test / user account holder.
  • The requirements of sections Out of Scope and Prohibited Actions must also be followed.

JobRouter Websites

JobRouter websites in scope include:

  • JobRouter Website (https://www.jobrouter.com)
  • JobRouter® Marketplace (https://marketplace.jobrouter.com)
  • JobRouter Newsletter (https://newsletter.jobrouter.com)

Important information on the scope of the JobRouter websites

  • Testing is only permitted on JobRouter websites with the express written consent of JobRouter AG.
  • The requirements of sections Out of Scope and Prohibited Actions must also be followed.

Out of scope

  • Security vulnerabilities that are already known or reported to JobRouter AG are excluded.
  • Only reported security vulnerabilities for officially supported JobRouter versions will be processed by JobRouter AG.
  • Security vulnerabilities that can be traced back to offered but not used or incorrectly configured security configurations of our JobRouter Products and Cloud Services.
  • Outside the scope of application are third party apps or websites that are not owned or controlled by JobRouter AG.
  • Security vulnerabilities in third-party apps or on third-party websites in which the JobRouter® Digitization Platform is integrated (e.g. Iframe) are excluded.
  • Security vulnerabilities in third-party apps or on third-party websites that are integrated into the JobRouter®
  • Digitization Platform (e.g. Iframe) are excluded.

Contact person(s)

Official contact e-mail address

The official contact e-mail address can be found in the following URL:
https://www.jobrouter.com/.well-known/security.txt
 

Contact for general questions about the policy

If you have any questions regarding the Vulnerability Disclosure Policy, please contact our official contact e-mail address (see section: Official contact e-mail address).

Contacting us when reporting security vulnerabilities

If a potential security vulnerability is found that poses a risk to security or privacy, it must be reported to JobRouter AG
immediately or in the near future.

Your report may only be submitted via our official contact e-mail address (see section: Official contact e-mail address). Please do not contact our employees directly or via other communication channels regarding a report.

The format of the report is described in section Template for filing a report.

Please note that you can only post one vulnerability per report and that you will only respond to any requests from our employees to receive updated or further information via the official contact e-mail address.

Responsible Research and Disclosure

JobRouter AG recognizes the value that external security experts can provide for the security of JobRouter products, cloud services and websites.

We welcome legitimate contributions from security experts.

There are no monetary rewards for reporting security vulnerabilities.

When searching for security vulnerabilities, the section Prohibited Actions must be observed in addition to this section.

If you are of the opinion that you have discovered a security vulnerability in the scope of application, please let us know immediately (see section: Contacting us when reporting security vulnerabilities).
We check all incoming reports and try to fix the security vulnerability as quickly as possible (see section: Evaluation of reported security vulnerabilities).

Vulnerabilities found by you may not be published elsewhere. Allow us a reasonable and realistic period of time - at least 4 weeks - to be able to react to your report before you publicly announce any information or share it with others.

If a potential security vulnerability is found that represents a risk to security or privacy, it must be reported to JobRouter AG immediately or in the near future (see section: Contacting us when reporting security vulnerabilities).

The format of the report is described in section Template for filing a report.

The following explains what you should specifically consider when investigating security vulnerabilities:

  • The vulnerability must be in the scope. Furthermore, we expressly exclude certain types of potential security vulnerabilities (see section: Scope of application).
  • Vulnerabilities discovered by you may only be used for test purposes. This also includes the identification of additional risks, such as the risk that the discovered security vulnerability could be used to compromise confidential company data.
  • If you accidentally gain unauthorized access to someone else's data or to JobRouter company data while investigating a security vulnerability, you must:
    • stop immediately all activities that could lead to further access to user or JobRouter company data,
    • tell us what information has been accessed (including a full description of the content of the information),
    • delete the information from your system immediately after reporting it to us,
    • onfirm the accidental access in each subsequent report to us that you submit.
  • In addition, do not share information that you accidentally accessed with anyone.
  • If you continue to access someone else's data or JobRouter company data, this may indicate a lack of good faith and result in criminal and/or civil law consequences.

Prohibited Actions

  • Out of concern about the availability of our JobRouter products, cloud services and websites for all users, please do not attempt DoS attacks, spam attacks or other similarly questionable actions (e.g. phishing attacks or social engineering techniques).
  • We also advise against using vulnerability testing tools that automatically generate very large amounts of traffic.
  • You must not violate any laws/regulations whenn you carry out penetration tests.
  • No automated penetration tests are allowed.
  • It is forbidden to smuggle in any form of malware.
  • You may not destroy, modify or access data if the data is not your own and you do not have the written consent of the data owner.

Template for filing a report

Please use the following template to submit a security vulnerability that you have found. To do this, fill out the template completely.

Which product, cloud service or website provided by JobRouter AG is it? Select the affected JobRouter product, cloud service or website.
Example: JobRouter® Demo Cloud
To which version of JobRouter does the incident relate to? If a version exists for the affected product or cloud service provided by JobRouter AG, please indicate this.
Example: JR 5.1.10 Stable
Type of vulnerability For example, you can use this list as a guide:
https://owasp.org/www-community/attacks/ 
Example: Cross Site Scripting (XSS): Reflected XSS Attacks
Brief description of the incident including its possible effects (no technical details and  description) For example, it could have been a problem in your JobRouter® Demo Cloud that resulted in the data of a certain customer being visible to another customer for a period of 1 hour.
Did this incident reveal any end-user data? Give us a note about the scope of the end user data presented to you and the type of date involved.
Example: Excel files from the accounting department; specifically the employee pay slips for the years 2018, 2019, 2020. The files were not encrypted and were available in clear text. In addition, the following Word documents were visible: "Neues_Buchhaltungssystem_2020.doc", "Gehaltserhöhungen_2021.doc", etc .;

Which programs/software did you use to recreate the incident? (with version information)

Example: Google Chrome, Version 87.0.4280.141 (Official Build) (64-bit)

How did you go about with the investigation? (technical details)

Describe what steps you took as part of the investigation into the incident to confirm its possible scope and impact.

Evaluation of reported security vulnerabilities

  • JobRouter AG examines and answers all valid reports. Depending on the risk and other factors, we set appropriate priorities for the evaluation. Therefore, there may be a delay in our response. Allow us a reasonable and realistic period of time - at least 4 weeks - in order to be able to react to your report before you publicly announce or share any information about it with others.
  • Ultimately, JobRouter AG determines the risk of the respective security vulnerabilities. The reported security vulnerability may, under certain circumstances, be software errors that do not represent security problems.
  • Reported security vulnerabilities as well as transmitted personal data are stored by JobRouter AG until the purpose has been fulfilled.

Data privacy

If you provide us with vulnerabilities or improvements and thereby transmit your personal data to us, such data will be collected and processed in accordance with Art. 6 Para. 1 lit. f) GDPR. We will only process your data for the purpose of processing the reports and in order to potentially contact you. A transfer to third parties will not take place and is also not planned. We will delete all transmitted personal data immediately after processing the report. Further information on the handling of personal data at JobRouter AG can be found in the data protection policy under: https://www.jobrouter.com/en/privacy/ 

Last update: 09/2023, last review: 09/2023, version 2.2

to top