LET'S TALK DISCLOSURE

Code of Conduct for Cyber Sleuths

1. First and foremost, put on your white hat and keep it on. You play fair, we play fair—good faith is the name of the game. Share your cyber discoveries with us before you go posting them online, and we'll do our best to ensure your research doesn't land you in the court of law. Even if a third party tries to take legal action against you for your detective work, we've got your back and will devote our own legal resources to making it clear to them (and any authorities/courts/whoever) that you had our authority to act, as long as it's done according to this policy. Outside of this, though, all our legal rights are reserved—just as a heads up!
2. “Research,” for you aspiring cyber detectives, involves notifying us pronto if you discover potential security slip-ups. You must never take any action which violates anyone's privacy or directly or indirectly leads to degradation of user experience, disruption to production systems, and destruction or manipulation of data. Only use exploits to the extent strictly necessary to confirm a vulnerability's presence. For example, do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
3. Be a bit patient, and give us some time to resolve the issue before you share it with the world. Try to refrain from spamming us with low-severity reports—save your energy for the big, juicy vulnerabilities.
4. If you happen to stumble upon any sensitive data during your investigations (think personal details, financial info, or trade secrets), hit the brakes immediately, alert us, and don't disclose it to anyone else. Do the right thing—delete it or hand it over if we ask for it.

Scope

This program is for finding vulnerabilities in our own PaperCut Software products and services for print management, as long as you've got lawful access to them.

This means:

• PaperCut MF™
• PaperCut NG™
• PaperCut Hive™
• PaperCut Pocket™
• The PaperCut Mobility Print™, QRdoc™ or PaperCut Views™ tools
• PaperCut Multiverse™
• Our website https://www.papercut.com
• And all other PaperCut products and services.

We’ve got some restrictions on what we consider “out of scope”, but if you find a bug that you believe should be considered, give us a shout and the team will review it over a round of coffees.

Out of Scope

On a serious note, some investigative methods or types of exploit are off-limits:

• Network denial of service (DoS or DDoS) tests and other methods that impair access or cause harm to systems or data
• Physical tests like tailgating into our offices, social engineering stunts, or other non-technical tests
• Phishing
• Weak or insecure SSL ciphers or certificates
• Brute forcing, rate limiting, and other DOS-type attacks
• Physical attacks on our people, property, or us
• Unlawful access to, or modification of data
• Methods that degrade the performance of our software
• Sending unsolicited or unauthorized junk mail, spam, or similar
• Testing third-party applications, websites, or services integrated with ours
• Exploiting known-vulnerable libraries or frameworks without a valid attack scenario
• Exploiting mobile apps that require the host device to be rooted or jailbroken
• Self-exploiting issues
• Abusing outdated or unpatched browsers and platforms
• Uploading or sending harmful software like malware or viruses that could impact our services, products, customers, or any other party
• Attempting to hack or disrupt the usage of our coffee machine - no explanation required there!

How to Report

Found something? Awesome! You can let us know about any potential security vulnerabilities by sending us an email at security@papercut.com. If you want to encrypt your files before sending them to us, you may use our PGP key. You'll also find our security file here - https://www.papercut.com/.well-known/security.txt. We are only able to accept vulnerability reports in English.