Vulnerability Disclosure Policy & Vulnerability Report Submissions.
RPost, the global standard for secure and certified electronic communications, is committed to ensuring the security of our customers and the reliability of our services. To this end, RPost accepts reports of any vulnerability of our services.
- RMail® Registered EmailTM service
- RMail® encrypted email service
- RMail®, RSign®, RForms™ e-signature services and features
- RMail Gateway™ services
- RMail® services and features
Researchers who submit a vulnerability report will be given full credit in RPost regularly
published security bulletins and the RPost Website.
- Engaging in the testing of systems/research without harming RPost or its customers.
- Engaging in vulnerability testing within the scope of our vulnerability disclosure program
and do not diminish the services’ availability to customers.
- Testing on products without affecting customers, or receive permission/consent from
customers before engaging in vulnerability testing against their devices/software, etc.
- Adhering to the laws of their location and the location of RPost. For example, violating
laws that would only result in a claim by RPost (and not a criminal claim) may be
acceptable as RPost is authorizing the activity (reverse engineering or circumventing
protective measures) to improve its system.
- Refrain from disclosing vulnerability details to the public before a mutually agreed-upon
How to Submit a Vulnerability
Vulnerability Reports should be submitted to email@example.com. The report email should:
- Must include “Vulnerability Report” in the subject line.
- Include contact information for the person/organizations submitting the report.
- Identify the RPost service in which the vulnerability was discovered.
- The time and date of the testing that revealed the vulnerability.
- Describe the nature of the vulnerability in sufficient detail to allow RPost’s
Security team to replicate the vulnerability.
- If possible, suggestions for possible remediation of the vulnerability.
RPost will not accept a vulnerability report unless it contains information sufficient for RPost’s security team to duplicate the vulnerability. If the vulnerability is triggered by a particular format for form of message or attachment, a copy of the relevant message or attachments should be included. If the vulnerability was detected using a password protected RPost service, the report should include the username under which the tests were conducted.
Researchers reporting a vulnerability may expect:
- A timely response to your email.
- After analysis, a report on what steps RPost has taken or plans to take to remediate the
- Public credit after the vulnerability has been validated and fixed.
You may download a PDF of this policy for your records from the link below