Vulnerability Disclosure Program

Intermedia greatly appreciates well-intentioned and ethical security researchers for their help in making our products more robust and bringing secure services to our customers. As such, we welcome security community members to investigate the security of our systems for potential vulnerabilities and are committed to thoroughly review and resolve valid submissions. If you think that you have found a security vulnerability in any of applications or services, operated by Intermedia, please let us know. Before reporting though, we encourage you to carefully read the contents of this page and follow the rules and recommendations listed. Note that we are only able to review technical vulnerability reports. Non-security bugs, queries about problems with your account and abuse reports should be instead directed to our Customer Support.

Services in scope

Generally, any Intermedia-owned application or service, that handles reasonably sensitive user data, is in scope. This includes almost every web service, hosted under the following subdomains:

  • *.intermedia.com
  • *.intermedia.net
  • *.anymeeting.com
  • *.myonlinedata.net
  • *.mycontactcenter.net
  • *.telecomsvc.com
  • *.accessline.com
  • *.cloudid.com
  • *.elevate.services,

as well as current version of official Intermedia mobile and desktop applications:

  • Intermedia Unite®
  • AnyMeeting®
  • SecuriSync®

Not in scope

Some of our customers may have their services or infrastructure hosted under Intermedia domains. We cannot authorize you to test such systems, as we do not own them, nor would we be able to provide you protection under Safe Harbor. If in doubt regarding any particular asset – ask us first!

General Rules

In order to make our collaboration effective, safe and convenient for both parties, we encourage you to:

  • Test only with your own Intermedia accounts when investigating bugs, and do not interact with other accounts (which includes modifying, copying, viewing, transmitting, or retrieving data from the other account) without the account owner’s explicit written consent, which you must present to Intermedia upon request.
  • Avoid privacy violations, degradation of user experience, disruption of production systems, and destruction or manipulation of data.
  • Do not utilize automated scanners, that generate significant volumes of traffic.
  • Only exploit security vulnerabilities you discovered to the extent necessary to confirm the vulnerability.
  • Provide detailed reports to Intermedia with reproducible steps.

Currently we are not able to provide any monetary rewards. We would however like to express our deepest gratitude to the researchers who take their time and effort to investigate and report security vulnerabilities in accordance with this Program.

Qualifying vulnerabilities

Any design or implementation issue that affects confidentiality or integrity of user data is likely to be qualifying. We are particularly interested in the following categories of security bugs:

  • Server-side code execution
  • SQL injection
  • Unrestricted file system access
  • Authentication/Authorization bypass
  • Server-side request forgery to internal service
  • Cross-site scripting
  • Cross-site request forgery on sensitive actions
  • Sensitive information leakage
  • Business logic flaws with high security impact

Please note that we only accept technical vulnerabilities. Do not try to bypass physical security controls in any of Intermedia offices, perform spamming or social engineering attacks against Intermedia customers, partners, vendors, or employees, and do otherwise questionable things.

Non-qualifying vulnerabilities

We will unlikely review and respond to the submissions of the following types:

  • "Scanner output" or scanner-generated reports
  • Denial of Service attacks
  • Brute Force attacks
  • CSV Injection
  • Security issues in apps or services that are not operated by Intermedia (including third-party services and websites operating on Intermedia’s subdomains)
  • Vulnerabilities requiring physical access to the victim's unlocked device
  • Spam or Social Engineering techniques
  • Issues relating to Password Policy
  • Non-sensitive information disclosure (such as product version, path, etc.)
  • CSRF in actions that are non-significant (e.g., logout) or do not require authentication (or a session) to exploit
  • Framing and clickjacking vulnerabilities without a documented series of clicks that produce a real security impact
  • Self-XSS without demonstrating a real impact for users
  • Lack of security mechanism or inconsistency with best practices without demonstrating a real security impact (e.g., lack of security headers)
  • SSL/TLS misconfigurations (e.g., weak cipher-suites)
  • Vulnerabilities that only affect users of outdated or unpatched browsers
  • Insecure cookie settings for non-sensitive cookies
  • Bugs that do not pose any security risk

Reporting a vulnerability

If you have found a vulnerability, please contact us at [email protected].

In order to make the review process smooth and effective, please include all the technical details required to identify and reproduce the issue, as long as your estimation of the impact. The report should normally include:

  • Vulnerable host or application name
  • Brief description of the issue
  • Brief description of the impact (e.g. unauthorized access to user account, privilege escalation, etc.)
  • Link to the calculated CVSS v3.0 rating
  • Steps to reproduce
  • Attack scenario

Public Disclosure

  • Be patient and give us reasonable time to review and fix the issue you have reported. We are committed to fix valid submissions within 90 days or less.
  • Do not disclose any vulnerability information in a web service publicly or privately before the fix is confirmed by Intermedia or the report is rejected.
  • Do not disclose any vulnerability information in a mobile or desktop application publicly or privately before it is fixed and within 30 days after the fix is confirmed by Intermedia or the report is rejected.
  • Do not disclose any sensitive information that may have been accidently obtained during vulnerability research.

Safe Harbor

Any activities conducted in good faith in a manner consistent with this Program will be considered authorized conduct, and we will not initiate legal action against you for such activities. If legal action is initiated by a third party against you in connection with activities conducted under this Program, we will take steps to make it known that your actions were conducted in compliance with this Program.

General

Intermedia reserves the right to discontinue or change the terms of this Program at any time without notice. Intermedia further reserves the right of final decision on the interpretation of the terms of this Program.