ABBYY

Vulnerability disclosure guidelines

At ABBYY, the security of client information is our top priority. It is our mission to continuously monitor and review all our security measures to ensure that every client is protected. We recognize the important role that security researchers play in keeping ABBYY and our clients secure. If you discover or have information about a potential vulnerability of an ABBYY product or website, please notify us using the guidelines below.

 
Guideline

We ask the security community to give us an opportunity to research internally and fix a potential vulnerability in the event it happened before releasing information publicly. Before starting to perform any research-related activities, you shall agree to follow the guidelines below:

  • Make every effort to avoid privacy and security violations, degradation of user experience, disruption to and availability of production systems and environments, and destruction of data during security testing.
  • Comply with any laws and/or regulations that might be applicable to such research-related activity.
  • Perform research diligently and in good faith only for ABBYY products and websites in accordance with its terms and conditions (for example, End-User License Agreement, Terms of Use, Terms of Service or any other agreement governing ABBYY products or websites) as well as public ABBYY policies, guidelines, notices, statements, instructions etc.
  • If able to gain access to a system, account(s), user(s), or user data, stop at the point of recognition and report immediately. Do not attempt to determine how much more is accessible. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any information upon reporting information on the issue to ABBYY.
 
Please do NOT
  • Violate, try to violate, contribute to the violation of, or ask anyone to violate or contribute to the violation of, any laws and/or regulations that might be applicable to such research-related activity.
  • Violate, try to violate, contribute to the violation of, or ask anyone to violate or contribute to the violation of, an ABBYY product or website terms and conditions (for example, End-User License Agreement, Terms of Use, Terms of Service or any other agreement governing ABBYY products or websites) as well as public ABBYY policies, guidelines, notices, statements, instructions etc.
  • Request compensation for the reporting of security issues either to ABBYY, or through any external marketplace for vulnerabilities, whether black-market or otherwise.
  • Engage in disruptive testing like DoS/DDoS or any action that could impact the confidentiality, integrity, availability and resilience of information, systems and environments.
  • Engage in social engineering, phishing or any other similar activities with relation to ABBYY clients and/or employees or any other third parties.
  • Upload any vulnerability-related or client-related content to third-party utilities, websites, applications and/or services (e.g. Github, DropBox, YouTube).
  • Test third-party providers and services.

Nota Bene: please note that you may be subject to legal prosecution. ABBYY is committed to not initiating legal action against researchers as long as they adhere to these Guidelines, act diligently and in good faith, and do not harm ABBYY, its clients or other third parties. This does not prevent ABBYY's clients, government authorities or other third parties to initiate legal actions against researchers (for example, if they harm their assets, systems or information).

 
How to report an information on a potential security vulnerability?

If you believe you have found a security vulnerability related to ABBYY, please send it to us immediately upon recognition by emailing disclosure@abbyy.com. We can also provide an upload link if you prefer not to send the security vulnerability information via email. Please include the following details with your report:

  • Description of the location and estimation of impact of the potential vulnerability.
  • A detailed description of the steps required to reproduce the potential vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful).