Responsible Disclosure Policy

iManage Security: Responsible Disclosure Policy

As a provider of software and services to over one million users, iManage takes security very seriously. We investigate all reported vulnerabilities and accept them from many sources including independent security researchers, customers, partners, and consultants.

This Vulnerability Disclosure Policy applies to any suspected vulnerabilities you are considering reporting to iManage.

Reporting

We value and appreciate any effort to discover and report suspected vulnerabilities according to this policy. However, iManage does not currently operate a public bug bounty program or offer monetary rewards for vulnerability reports.

When reporting a vunerability, please include a description of the suspected vulnerability, reproduction steps, and contact information. If the vulnerability is confirmed, iManage will respond to the submitter in a timely manner and aim to provide updates regarding remediation.

Customers and Partners

If you are a customer or partner with access to Help Center, please follow the instructions here to report a vulnerability.

Security Researchers

If you are a security researcher, please email ProductVulnerability@imanage.com to report a vulnerability.

Our Commitment to You

• Maintain security safeguards designed to ensure the confidentiality of the information you provide us

• To treat everyone who contributes with respect and recognize your contribution to keeping our customers safe and secure.

• To work with you to validate and remediate reported vulnerabilities

• To investigate and remediate issues in a manner consistent with protecting the safety and security of both on-prem and cloud customers. Addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems.

• mediate issues in a manner consistent with protecting the safety and security of both on-prem and cloud customers. Addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems.

What We Ask of You

We request that you do not:

• Break any applicable laws, regulations, or agreements

• Access, or attempt to access, data or information that does not belong to you

• Access any data beyond the minimum necessary to provide a proof-of-concept

• Modify or disrupt any iManage systems or services

• Perform destructive testing

• Perform any actions that may negatively affect iManage or its users (e.g., spam, brute force, denial of service, etc.)

• Social engineer any iManage support desk, employee or contractor

• Share, redistribute or fail to secure data retrieved from any iManage systems or services properly

• Upload, execute, or distribute any executables, malware, or harmful code to iManage applications or systems

We request that you please:

• Handle all data retrieved during research in accordance with applicable laws and regulations

• Delete any data retrieved during research upon submission of the vulnerability report or within 14 days of remediation

• Communicate about potential vulnerabilities responsibly, providing sufficient time and information for our team to validate and address potential issues.

• Use the options below to provide the technical details and background necessary for our team to identify and validate reported issues.

• Act for the common good, protecting user privacy and security by refraining from publicly disclosing unverified vulnerabilities until our team has had time to validate and address reported issues. When possible, we would prefer that our respective public disclosures be posted simultaneously.

Out of Scope

Security issues related to iManage domains that we are aware of and/or should not be reported include:

• Clickjacking on iManage domains

• HTTPS configuration, including supported TLS versions and cipher suites

• Security-related HTTP headers including (Strict Transport Security, Content Security Policy, CORS, etc.)

• Systems that disclose the versions of the servers and software in use

• DNS records, including those related to email (SPF, DKIM, DMARC)

• Any non-exploitable vulnerabilities or issues related to a lack of “best practice”