Responsible Disclosure Statement

CIN7 is committed to resolving any issues that may compromise the security of our products and services as quickly as possible. We take security very seriously and protecting client data is one of our top priorities.

If you have discovered a security vulnerability, we would appreciate it if you could keep your findings strictly confidential and disclose the relevant information to us in a responsible manner, as described below.

How do you report a security vulnerability?

If you think you’ve found a security vulnerability in one of the CIN7 family of products (CIN7 CORE, CIN7 OMNI, or CIN7 ORDERHIVE) or any other CIN7 product, services or online platform, please contact us immediately via email and encrypt your report with our PGP key:

Email contact: securityteam@cin7.com

What to include in the report?

Please provide as much detail as possible. In particular, we would appreciate the following:

• An explanation of the security vulnerability
• A list of the products and services that may be affected (versions where applicable)
• Steps to reproduce the vulnerability
• Proof-of-concept code or software
• Test accounts you have created
• URLs, IP addresses, or infrastructure associated with the vulnerability (if relevant)
• Your contact information, such as your organization and contact name for ongoing communication (if you do not wish to provide your personal information, you may contact us anonymously, or by using a pseudonym)

Please also advise if you have communicated the vulnerability to CERT or other parties and provide us with any reference numbers.

Rules of engagement

Please do not:

• Take advantage of a security vulnerability
• Access, delete, or modify CIN7 or client data
• Publicly disclose a vulnerability until it has been resolved
• Download more data than necessary to demonstrate a vulnerability
• Attempt to break into client accounts
• Ask for compensation for your report
• Use Social Engineering, Denial of Service, or Phishing attacks

CIN7 does not waive any rights or claims with respect to such activities.

Next steps

Please maintain confidentiality and not make your research public until we have completed our investigation and implemented patches or other mitigations. We will use the disclosure information you provide to enhance the security of our systems. We may also use the information in notifications to regulatory bodies, to comply with laws, and assist government or law enforcement agencies.

The CIN7 security team will endeavor to contact you within 72 hours of you reporting the security vulnerability and keep you informed on our progress toward resolving the vulnerability. We will notify you when the security vulnerability has been patched or mitigated, and add your name to our acknowledgments page if it is a valid high or critical vulnerability.

Acknowledgments to Security Researchers

CIN7 thanks all security researchers and professionals who help improve the security of our products and services through our responsible disclosure program:

• Mike Stage
• Taseer Hussain
• Sakshi Patil
• Sahaj Gautam
• M K Rahul/BugBoy07
• A Nikhil Kumar/SpiritBoy47
• Prince Kumar
• Javeed Shaik
• Naksh Raja
• Harsh Maheta
• Ratdin Madhak
• Nic (lolzpro766)
• Kamrul Hassan
• Arthik Kumar Gorantla
• Arshad Sk
• Vikash Gupta
• Ayush Kumar
• Nikhil Rane
• Vaibhav Jain
• Vijay Sutar
• Durvesh Kolhe
• Navreet Singh
• Gaurang Maheta
• Khayrol Islam
• Janhavi Rajendra Sonatkar
• Hurain Javeid Khan
• Chinmay Sogani
• Harsh Sanghvi