Overview
At OPEXUS + Casepoint we are steadfast in our commitment to the security and integrity of our enterprise software products. We understand the essential role that security researchers, ethical hackers, and the broader security community play in helping us identify and address potential vulnerabilities. To support transparent and responsible security practices, we have implemented a Vulnerability Disclosure Policy (VDP). This policy outlines the proper channels and expectations for reporting security vulnerabilities and details what researchers can expect from us in return.
Purpose
The purpose of this Vulnerability Disclosure Policy is to establish a clear process for security researchers, users, and third parties to report security vulnerabilities to our organization in good faith. Our goal is to foster collaboration, encourage responsible disclosure, and continually strengthen the protection of our products and customer data.
We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered – as set out in this policy – so we can fix them and keep our users safe. We have developed this policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith.
The Vulnerability Discovery Policy is composed of the following guideline:
-
Notify us as soon as possible after you discover a real or potential security issue.
-
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
-
Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems.
-
Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
-
You do not intentionally compromise the privacy or safety of HHS personnel (e.g., civilian employees or military members), or any third parties.
-
You do not intentionally compromise the intellectual property or other commercial or financial interests of any organizational personnel or entities, or any third parties.
System Description
Casepoint
Casepoint is a data discovery platform for legal, investigatory, compliance, and IT teams who struggle to get actionable insights for data-centric business processes like eDiscovery, investigations, and information requests. Casepoint empowers leading corporations and government organizations to reduce costs, lower risk, and improve time-to-insight. Casepoint’s easy-to-use AI-powered platform is purpose-built for organizations that require the highest level of security and scalability to meet the evolving demands of the modern data landscape.
OPEXUS
eCASE is a dynamic case management and rapid application development platform that empowers professionals to elevate trust in public institutions. With secure and collaborative information and document management, robust reporting, adaptive workflows, role-based security, and comprehensive audit trail capabilities, eCASE helps public sector clients automate processes, reduce costs, improve transparency, and ultimately achieve better outcomes with less risk while maintaining compliance within demanding regulatory environments. eCase and eCase COTS solutions, including Correspondence, Audit, Investigations, Government Workforce Management, and FOIAXpress (the industry-leading, purpose-built FOIA case processing software) are FedRAMP-moderate certified SaaS. For more information, visit opexustech.com.
Key Benefits of a VDP
Countless vulnerabilities are being written into new and existing software every day, and organizations need to maximize their ability to discover them. However, per research, 58% of ethical hackers (security researchers) won’t report a vulnerability if the owner of that vulnerability doesn’t provide a clear way for doing so.
-
Reduce risk
-
Improve security ROI
-
Accelerate digital transformation
-
Make better decisions on security initiatives
-
Improve security transparency and customer confidence
VDPs help organizations achieve these goals in many different ways. Beyond building a stronger security posture, a VDP offers several key benefits, according to an organization’s customers, partners, investors, and employees.
Reporting a Vulnerability
If you have discovered a security vulnerability in our software product or service, we encourage you to report it to us in a responsible and coordinated manner. We accept vulnerability reports at “vulnerabilities@casepoint.com.” Reports may be submitted anonymously.
-
Cease testing and notify us immediately upon discovery of a vulnerability
-
Notify us within 72 hours of discovering any real or potential security vulnerabilities.
-
A detailed description of the vulnerability.
-
Proof of Concept [PoC], if applicable.
-
Steps to reproduce the vulnerability.
-
Information about the affected product or service and its version.
-
Your contact information, including your name, email address, and any additional contact details.
-
purge any stored “secureocp.com” nonpublic data upon reporting a vulnerability.
-
Do not submit a high volume of low-quality reports.
-
Before reporting any vulnerabilities to CISA, we kindly request that you first contact us directly at vulnerabilities@casepoint.com. This helps us to:
-
Avoid duplicate or previously addressed reports,
-
Prevent the reporting of false positives, and
-
Ensure alignment with our operational requirements.
-
-
Be in English, if possible.
Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely to, we may share your report with the Cybersecurity and Infrastructure Security Agency, where it will be handled under their CISA coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.
Additionally, OPEXUS + Casepoint Security Team members subscribe to vulnerability announcements from manufacturers, organizations and various media outlets. At a minimum, for the protection of federal systems, team members are subscribed to US-CERT announcements and receive these alerts and advisories on an ongoing basis. We also refer to CISA catalogue to identify the presence of known exploited vulnerabilities. We use internal email groups to distribute security alerts to appropriate personnel, including engineers in charge of the remediation.
We generate internal security alerts, advisories, and directives when applicable to the environment.
Our Security and Infrastructure Team is tasked with notifying relevant organization personnel of security alerts, advisories, and directives. The appropriate personnel with configuration/patch-management responsibilities for the environment receive notifications through emails.
We adhere to the requirement in implementing security directives in accordance with the time frames established by the issuing organization. In cases where the compliance time frames cannot be met, the Security Team is responsible for communicating the date when compliance objectives can be met.
Our environment is hosted in geographically restricted to the United States and follows Geographical whitelisted IP’s (US only) approach.
Scope of Policy
This policy applies to systems and services that are accessible from the internet and are explicitly listed as in-scope. This currently includes the registered domain name secureocp.com.
Please adhere to the following guidelines:
-
Authorized Testing Only: Testing activities should be limited strictly to the extent necessary to confirm the presence of a vulnerability.
-
Out-of-Scope Systems: Any service not expressly listed above—including connected services, VPN-connected devices, or other associated infrastructure—is considered out of scope and is not authorized for testing.
-
Third-Party Systems: Vulnerabilities identified in systems or services operated by our vendors or customers fall outside the scope of this policy. Such findings should be reported directly to the appropriate party in accordance with their own disclosure policies (if available).
-
Uncertain Scope: If you are unsure whether a system is within scope or not, please first, contact us at vulnerabilities@casepoint.com before initiating any research or testing activities.
While we develop and maintain other internet-accessible systems and services, we request that active testing and research be conducted only on the systems defined within the scope of this policy. If you believe another system not listed should be considered for testing, feel free to reach out to discuss it with us.
The below are not in scope for testing.
-
Test any system other than the systems set forth in the ‘Scope’ section above,
-
Attacks involving stolen credentials or physical access to endpoint devices
-
Automated Scans (without an exploitable PoC)
-
Host Header Injection (without providing an exploitable scenario)
-
Content Spoofing Vulnerabilities
-
HTTP Trace method is enabled
-
Denial of Service (DoS) or DDoS
-
DLL hijacking (without escalation of privileges)
-
DNS configuration related issues
-
Issues present in older versions of browsers, plugins, or any other software
-
Low Severity Clickjacking Vulnerabilities
-
Engage in physical testing of facilities or resources,
-
Engage in social engineering
-
Send unsolicited electronic mail to “secureocp.com” users, including “phishing” messages
-
Introduce malicious software
-
Test in a manner which could degrade the operation of “secureocp.com” systems; or intentionally impair, disrupt, or disable HHS system
-
Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on “secureocp.com” systems, or “pivot” to other organization systems.
-
Test third-party applications, websites, or services that integrate with or link to or from “secureocp.com” systems,
Our Commitment
-
We will acknowledge receipt of your report within 5 business days.
-
We will investigate and validate the reported issue promptly.
-
We will strive to remediate valid vulnerabilities in accordance with our internal SLAs based on severity.
-
We may publicly credit your contribution (with your permission) once the issue is resolved.
Disclosure
OPEXUS + Casepoint is committed to timely correction of vulnerabilities. However, we recognize that public disclosure of a vulnerability in absence of a readily available corrective action likely increases versus decreases risk. Accordingly, we require that you refrain from sharing information about discovered vulnerabilities for 90 calendar days after you have received our acknowledgement of receipt of your report. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, we require that you coordinate in advance with us.
We may share vulnerability reports with the Cybersecurity and Infrastructure Security Agency (CISA), as well as any affected vendors. We will not share names or contact data of security researchers unless given explicit permission.