Vulnerability Disclosure
Overview
GibbsCAM is committed to addressing any vulnerabilities in our products. We welcome collaboration with researchers who uncover these issues and will strive to resolve them promptly. We also place great importance on acknowledging and appreciating the contributions of researchers who partner with us to enhance the security of GibbsCAM.
Domains
- gibbscam.com
- online.gibbscam.com
Response Targets
GibbsCAM will strive to meet the following SLAs for participants in our program:
| Type of Response | SLA in business days | 
| First Response | 2 days | 
| Time to Triage | 5 days | 
| Time to Resolution | Dependent on severity and complexity | 
We will strive to keep you informed about our progress throughout the process.
Program Rules
- Employees or relatives of employees are prohibited from participating.
- Please provide detailed reports with reproducible steps or a working Proof of Concept
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- Do not publicly disclose a security issue before it has been fixed.
Priority
Our main focus is on critical and high severity vulnerabilities that jeopardize the confidentiality, availability, and integrity of an application, with an emphasis on the OWASP Top 10 Desktop Application Security Risks. We prioritize the following types of vulnerabilities:
- Sensitive Data Exposure
- Improper Cryptography Usage
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
- Poor Code Quality
- Remote Code Execution
- Authentication Bypass
- DLL Preload
- Serialization Issues
- Stack/Heap Buffer Overflows and Memory Overwrites
- Use after Free
- XML External Entity Processing in critical actions
Scope
In Scope
Currently, we are only seeking vulnerability feedback for the supported versions of the following applications and services:
Out of Scope
- Reports concerning CVEs or known vulnerabilities in desktop applications and unsupported versions will be classified as informational unless they are deemed critical or high severity. Critical and high-severity reports will be assessed on a case-by-case basis.
- Reports from automated tools or scans.
- Path disclosures resulting from error messages.
- 3rd Party Sites (Sites that reference the GibbsCAM brand but are not company properties, branded merchandise, etc).
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
- Attacks requiring MITM or physical access to a user’s device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Any activity that could lead to the disruption of our service (DoS).
Exclusions
While researching, please refrain from:
- Denial of service (including DoS, DDoS).
- Spamming.
- Social engineering (including phishing) GibbsCAM staff, contractors or customers.
- Any physical attempts against GibbsCAM property or data centers.
Eligibility & Disclosure Policy
- Let us know as soon as possible, upon discovery of a potential vulnerability, and we will make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or third-party.
- Please provide detailed reports with reproducible steps.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Safe Harbor
HackerOne’s Code of Conduct
Activities that align with this policy and HackerOne’s Code of Conduct will be regarded as authorized, and we will not pursue legal action against you. Should a third party initiate legal proceedings related to actions taken under this policy, we will actively work to demonstrate that your activities were in compliance. We appreciate your efforts in helping to keep GibbsCAM and our users secure.
Vulnerability Disclosure Form