Disclosure policy

The security threat landscape is vast and, although we do our utmost to ensure our services and products are secure, we recognize the skill sets and creativity of individuals in the industry.

For this reason, Entersekt encourages security researchers to scrutinize and evaluate Entersekt’s security posture in a responsible manner. If done in accordance with this policy, Entersekt strives to validate and remediate security vulnerabilities in a timely, honest, and collaborative manner.

Entersekt will not take legal action against individuals who adhere to this policy when undertaking security evaluations or reporting security vulnerabilities in Entersekt’s services or systems. Entersekt endeavors to review and provide feedback on any vulnerabilities that meet the qualifying criteria.

Entersekt does offer a small bounty reward, which is dependent on our assessment of the vulnerability.

Qualifying criteria

The vulnerability must be for a system regarded as “In scope”, as per this policy.

Vulnerabilities that will not be considered include:

  • Unpatched software versions without proof of exploitation
  • Tapjacking or clickjacking vulnerabilities
  • Exploits that require jailbroken or rooted devices
  • TLS cipher suites
  • Cookie flags for unauthenticated sessions
  • SPF, DMARC, DKIM configurations

In scope

All services and systems operated and owned by Entersekt, namely:

Transakt Authentication app:

Out of scope

  • Distributed Denial of Service (DDoS) attacks or any other actions aimed at disrupting the availability of Entersekt’s systems or services
  • Attempts to access or modify users’ confidential information or data
  • Any system or service not explicitly stated as being “In scope”

Reporting a vulnerability

A vulnerability can be reported by sending a detailed report to security(at)entersekt(dot)com.
Your report should be in PDF format and include the following:

  • High-level overview
  • Detailed overview
  • Description of vulnerability
  • Systems affected (IP address, port, URL, or any other information that can be used to accurately identify the vulnerable component)
  • Step-by-step instructions to reproduce the vulnerability
  • Proof or screenshots of the exploitation process
  • Proof of concept code to exploit the vulnerability
  • Remediation
  • Your recommendations on how to fix the vulnerability

Entersekt will review all reports and provide feedback if the reports meet the minimum criteria.
If more information is required, Entersekt will contact you via the contact details provided in your email.
Entersekt will notify you when a vulnerability has been fixed.