Reporting Vulnerabilities to DocuWare
DocuWare welcomes vulnerability reports from security researchers and customers. If you believe you have found a security issue in a DocuWare product or service and would like to report anonymously, please submit it through this form. We ask that you:
- Report the vulnerability as soon as possible after discovery.
- Follow the scope and rules of engagement outlined below.
This is an anonymous reporting form. No contact information is collected (nor any other information beyond the fields below), so DocuWare cannot respond to individual submissions.
DocuWare will not pursue legal action against those who act in good faith in accordance with the scope and rules of engagement.
If you prefer to report non-anonymously so we can coordinate this together, please see our security.txt for contact details. This is completely optional.
Scope
The following assets are in scope for this program:
- Any services included in DocuWare's cloud offering (*.docuware.cloud)
- Officially supported on-premise products or services
- Officially supported desktop applications
- Officially supported mobile applications (iOS and Android)
Any asset or service not in the explicit scope defined above is considered out of scope. End-of-life versions of products or services are also out of scope.
Rules of Engagement
When researching vulnerabilities you must:
- Only test against accounts and organizations you own or have explicit permission to use. Testing against other organizations is strictly prohibited and may result in legal action.
- Not use automated scanning tools without manual validation and confirmation of exploitability.
- Not perform denial-of-service attacks or resource exhaustion testing.
- Not access, exfiltrate, or retain personal data belonging to anyone other than yourself or your organization.
- Not modify or destroy data outside of your own test accounts.
- Submit one vulnerability per report.
- Clearly document each step for DocuWare to reproduce the finding.
Priority Vulnerabilities
The following vulnerabilities are most relevant to this program:
- Remote Code Execution (RCE)
- Access control vulnerabilities, privilege escalation, and lateral movement
- Sensitive or confidential data exposure
- Injection, especially if it leads to unauthorized access to confidential features or data, e.g. gaining access to a document you're not supposed to have access to
- XML External Entity (XXE) attacks
- Cross-Site Scripting (XSS) (stored, DOM-based, or reflected)
- Cross-Site Request Forgery (CSRF) with meaningful, proven impact
- Server-Side Request Forgery (SSRF)
- Open redirects (if there's an exceptional impact, i.e. in OAuth applications)
- User or account enumeration
Out of Scope Vulnerabilities
The following vulnerabilities are out of scope, subject to DocuWare's discretion:
- Raw reports from scanners or automated tools
- Outdated or vulnerable software version reports - unless there is a working PoC demonstrating exploitability and security impact
- Brute-force attacks
- CSRF with minimal implications (login/logout CSRF)
- CSV injection
- Clickjacking
- Self-XSS
- Distributed Denial-of-Service attacks
- Absence or failure to rate limit endpoints
- Content Security Policy (CSP) issues
- Host header injection without demonstrable impact
- Missing security headers
- Missing 'Secure', 'SameSite', or 'HTTPOnly' cookie flags
- Verbose error messages, stack traces, debug output
- Known public file or directory disclosure (e.g. robots.txt, sitemap.xml)
- SSL/TLS configuration issues (weak ciphers, expired certificates)
- SPF/DKIM/DMARC issues
- Scenarios requiring improbable user interaction
- Scenarios requiring physical access to the device
- Social engineering or phishing attacks
- Best-practice or hardening suggestions with no demonstrable vulnerability
Vulnerability Disclosure Program Details
- No rewards beyond our gratefulness. DocuWare does not offer monetary compensation for vulnerability reports.
- We kindly ask you to coordinate the disclosure with DocuWare first before sharing, publishing, or disclosing any findings to third parties. This way we can coordinate the disclosure responsibly, adjusted to the specific situation at hand.
- Active collaboration with DocuWare is not required, only highly encouraged. Anonymous reports are still welcome.
- Remember that, in order for us to coordinate this together with you, you would need to submit your report non-anonymously via the contact details in our security.txt.
Submit a Vulnerability Report
This form is anonymous. No contact information is collected or required. Because no follow-up is possible, DocuWare cannot request additional technical details or clarification after submission. For complex issues, further explanation or evidence is often necessary to process a report. As anonymous submission prevents any follow-up, anonymous reports may only be processed to a limited extent or possibly not at all. Please be clear and precise while communicating your findings, especially for complex ones.