Security Reporting

Responsible Disclosure

The safety of Instant-ERP systems is our highest priority. We welcome responsible disclosure of security vulnerabilities and commit to handling every report with speed, care and transparency.

Last updated · 11 May 2021

01About This Policy

The safety of Instant-ERP systems — whose back end is based on Odoo (which we also use internally) — is very important to us. We consider security problems with the highest priority. We do our best every day to protect our valued customers from known security threats, and we welcome all reports of security vulnerabilities discovered by our customers.

We are committed to handling vulnerability reports with the greatest speed and care, provided that the following rules are respected.

02Reporting an Issue

Send a private report to our Security Team

Email dataprivacy@e-globalscm.com.my with as much detail as possible:

  • Detailed steps to reproduce the problem
  • The versions that are affected
  • Expected results and actual results
  • Any other information that helps us react faster and more efficiently

You may send this report from an anonymous email account — we promise not to disclose your identity if you do not want us to.

03Disclosure Procedure

  1. You privately share the details of the security vulnerability with our Security Team by reporting an issue (see above).
  2. We acknowledge your submission and verify the vulnerability as soon as possible.
  3. We work on a correction in collaboration with you.
  4. We write a detailed Security Advisory describing the issue, its impacts, possible workarounds and solution — and ask you to review it.
  5. We privately broadcast the Security Advisory and the correction to stakeholders and customers with an Odoo Enterprise Contract.
  6. We give stakeholders and customers a reasonable delay to apply the correction before disclosing it publicly (e.g. 3 weeks).
  7. We communicate with our principal Odoo partner contact and wait for their approval for validating our proposed counter-measure.
  8. Odoo's security team discloses and broadcasts the Security Advisory and correction on Odoo's public security channels.

04Rules

✓ Please do
  • Test vulnerabilities exclusively on your own deployments or a demo DB we provided.
  • Send your report from an anonymous account if you prefer privacy.
  • Contact us first if you have any doubt about whether to report an issue.
✗ Please do not
  • Attempt to access or modify data that does not belong to you.
  • Execute denial of service attacks or compromise service reliability.
  • Use automated scanners or tools to find vulnerabilities.
  • Attempt non-technical attacks such as social engineering, phishing, or physical attacks.
  • Publicly disclose vulnerabilities without our prior consent.

In return, we will not initiate legal action against you if you followed the rules; we will process your report and respond as quickly as possible; provide a fix as soon as possible; keep you updated of the progress; and not publicly disclose your identity if you do not want to be credited.

05What to Report

✓ Report these
  • SQL injection vectors in public API methods
  • XSS vulnerabilities working in supported browsers
  • Broken authentication or session management allowing unauthorized access
  • Broken sandboxing of customizations allowing arbitrary code execution
✗ Open a regular bug report for these
  • XSS vulnerabilities only in unsupported / deprecated browsers
  • Clickjacking or phishing attacks using social engineering
  • Open redirectors used for indirect phishing
  • Scripting / brute-forcing of components working as designed
  • Disclosure of public information or low-risk information
  • Issues in default configuration of access control rules

If you have any doubt, please ask us first!