Security

Your security matters at Arsys

The security of our products and applications goes to the core of our business. If you find any vulnerabilities in our products or systems, please report them.

 

Which threats can I report?

  •  I suspect that my login credentials have been stolen

Do you think your account has been hacked or your Arsys login details have been stolen? Learn more about the immediate measures you can take, find password security tips and discover what you can do against online threats in our Help Center.

  • I receive spam and unsolicited emails

To reduce the number of unwanted marketing emails in your inbox, Arsys offers you a range of options. You can find more information about the configuration of our spam filters, as well as some of the tricks spammers use, in our Help Center.

  • I have received what looks like a phishing email from Arsys

Have you received an email from Arsys but have doubts about its authenticity? You can find tips on email verification, learn how to deal with phishing emails, as well as how to report phishing sites in our Help Center.

General information on online security can be found in other Help Center articles.

  • I would like to report a technical vulnerability, such as an XSS or SQLI vulnerability

Keeping the data of our customers secure is very important for us. Arsys supports the responsible disclosure process and appreciates reports by well-intentioned, ethical security researchers. We are committed to investigate all reports and resolve the issues to protect our customers. This policy describes how Arsys works with the security community, the scope and the process.

 

Scope

The following vulnerabilities in Arsys products and services are in scope of this policy. We encourage every member of the security community to report findings in scope to us.

All vulnerabilities which impact the confidentiality, integrity or availability of our products and services and thus put our customers' data at risk.

The following vulnerabilities in Arsys products and services are not in scope of this policy. Please refrain from reporting them to us:

  • Denial of Service vulnerability (i.e. overwhelming our services with a high volume of requests)
  • TLS configuration specifics (e.g. no support for TLSv1.3, a specific cipher suite configuration, etc.)
  • Reports indicating that our services do not fully align with "best practice" (e.g. missing security headers or suboptimal email-related configurations such as SPF, DMARC etc.)

 

Bug Bounty Program

At the moment, Arsys does not have an official bug bounty program.

 

Reporting a Vulnerability

Please read this document fully prior to reporting any vulnerabilities to ensure that you understand the policy and can act in compliance with it. Please report your finding in scope (see the section above) to security@arsys.es and provide the following information:

  • Who is affected by the threat? Whenever possible, include the affected URLs.
  • How can the vulnerability be exploited? It may be helpful to include screenshots to illustrate the vulnerability.
  • All the relevant details including the steps required to reproduce the issue. Note: Do not include sensitive data, such as your password in your description.

If you prefer encrypted communication, please use our GPG key. Key-Id: 7A4187A8121BE832B487BE48BFE5B220188CF3A5, Fingerprint: 7A41 87A8 121B E832 B487 BE48 BFE5 B220 188C F3A5. Please do not send us confidential information such as your password or any other person-related data!

 

What to expect

Upon arrival, our security team will:

  • Acknowledge the arrival of your report and assign you a unique identifier which will be in the email's subject line. Please keep the subject line intact and use the identifier in all further correspondence. We typically reply within one working day.
  • Check the validity of the finding and if the report is a duplicate of an earlier case. If we have further questions, we'll get back to you with questions.
  • If the finding is valid, it will be forwarded to the appropriate internal team for triage and to work on a plan for remediation. Please note that this can take some time. You're welcome to enquire on the status of the process but please limit this to no more than once every 14 days.
  • We will contact you once the finding is remediated and might ask you to retest it.

Should we have the need to share your finding with another organization we'll contact you in advance.

Arsys will not seek prosecution of any security researcher who reports, in good faith and in accordance with this policy, any security vulnerability on an in-scope Arsys service.

 

Feedback

If you wish to provide feedback or suggestions on this policy, please contact our security team using the address written above.

  • I have another concern or comment

If you have any other concerns, please contact our Customer Support team directly.