Introduction to Esper’s security policy
Esper is an end-to-end policy platform, which means that many of our clients are government officials. We take seriously our responsibility to secure their data and communications with a transparent security policy. To that end, we encourage you to contact us if you identify any potential vulnerability in our systems.
This security policy is intended to give clear guidelines for conducting security research and submitting the results to us.
In particular, this policy describes authorized systems and types of research, how to send us vulnerability reports and how long we ask you to wait before publicly disclosing vulnerabilities.
Authorization
If you make a good faith effort to comply with this security policy during your research, we will consider your research to be authorized. We will work with you to understand and resolve any issues quickly, and Esper will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this security policy, we will make this authorization known.
Research guidelines
Under this security policy, “research” means activities that meet the following guidelines.
- Access Esper data only to the extent necessary to confirm a vulnerability
- Do not violate the privacy of Esper users or third parties
- Make every effort to avoid the degradation of user experience
- Do not intentionally disable or alter any functionality
- Do not attempt to corrupt data
- Perform only reasonable testing using your browser and forensic tools
- Do not attempt denial-of-service attacks
- Do not attempt to manipulate Esper users or employees via social engineering
- Notify Esper as soon as possible about any real or suspected vulnerability
- Once you have established that a vulnerability exists or encounter any sensitive data (including personally identifiable information), you must stop your test and notify us immediately
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly
- Never disclose any sensitive data
Reporting a vulnerability
We accept vulnerability reports as part of this security policy at the following address: security@esper.com. You may encrypt your report using our PGP key: https://esper.com/pgp-key.txt.
In order to help us triage and prioritize submissions, we recommend that your reports:
- Describe the location of the vulnerability and its potential impact
- Offer a detailed description of the steps needed to reproduce the vulnerability
- Include scripts, screenshots or traffic logs, if possible
- Be in English, if possible
- Emphasize quality over quantity (i.e., do not submit a high volume of low-quality reports)
In return, we commit to coordinating with you openly and quickly.
- Within 3 business days, we will acknowledge by email that we have read your report
- To the best of our ability, we will confirm the existence of the vulnerability to you, and we will maintain an open dialogue about the progress of our remediation
- If the vulnerability is due to a third-party vendor that Esper uses, we may contact that vendor. We won’t disclose your identity or contact information to the vendor, unless you request that we do so
- If and when we publicly disclose the vulnerability, we will acknowledge you, if you give permission
Scope of Esper’s security policy
This security policy applies to all of Esper’s Internet-accessible applications:
- The primary application website
app.esper.com
- Single-tenant applications
app.*.esper.com
- Any resource accessed by any of the above applications, to any level of subdomain nesting, as long as its domain ends in
esper.com