Randori is committed to maintaining the privacy of customer data. Our policies, controls and processes ensure that our practices are aligned with the expectations of our customers and global privacy laws.
Randori complies with applicable law with respect to international transfers of personal data. Where a customer determines that its use of Randori’s services requires the transfer of personal data to a location outside the European Economic Area, Randoir will execute a Data Processing Addendum(DPA) with the customer which includes Standard Contractual Clauses (also commonly referred to as EU Model Clauses). A copy of the Randori DPA is available to prospective and existing customers.
For any privacy related questions, including Data Subject Requests, please email: email@example.com
We appreciate efforts to discover and coordinate the disclosure of security vulnerabilities. Randori operates a SaaS service for enterprise customers, and does not currently operate a public bug bounty program or offer monetary rewards for vulnerability reports.
If you would like to report a vulnerability in our service, or have security concerns regarding Randori assets or resources, please email: firstname.lastname@example.org
We take all vulnerability reports very seriously and will respond and verify the vulnerability before taking the necessary steps to address it. After an initial reply to your disclosure, we will update you periodically with our response and remediation status.
To support a timely and effective response to your report, please include any of the following:
- Your name and contact information
- Type of issue (XSS, vulnerable service, etc..)
- Affected Randori resource
- Potential impact of the vulnerability (i.e. what data can be accessed or modified). Please do not provide us with your calculation of a CVSS score.
- Step-by-step instructions to reproduce the issue
Randori follows coordinated vulnerability disclosure practices and requests that anyone reporting a vulnerability to us does the same.
Randori will assess all submissions, but considers the following vulnerabilities out-of-scope:
- 2FA exploits
- Absence or misconfiguration of HTTP headers
- Account/email enumeration using brute-force attacks
- Clickjacking on pages that only contain static content
- DDoS vulnerabilities
- Lack of SSL or Mixed content
- Low impact issues related to session management
- Missing Cookie flags
- Missing security-related attributes on non-sensitive cookies
- Social Engineering
- Third party components in our corporate website, such as marketing forms
- URL Redirection
- Vulnerabilities affecting users of outdated browsers, plugins or platforms
- Vulnerabilities that require the user/victim to perform improbable actions (i.e., Self-XSS)
- Vulnerabilities in components that the upstream developer/packager deems not-fixable or not applicable.
- Vulnerabilities that are identified but connect to a honeypot
- Vulnerabilities identified by an automated scanner such as Nessus, Nexpose, etc..
- Spoofed email due to SPF/DKIM/DMARC values