TMG Security

TMG Security’s Responsible Disclosure Policy

We constantly strive to make our systems safe for our customers to use. However, if in the rare case a security researcher or member of the general public discovers a security vulnerability in our systems and responsibly shares the details with us, we appreciate their contribution and work closely with them to address any reported issue with urgency. Further, we are happy to acknowledge your contributions publicly.

Process to report an issue
  • E-mail your findings to [email protected] . Please share your contact information with your mobile number.
  • Do provide enough information to reproduce the problem, so we will be able to resolve it as quickly as possible.
  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data.
  • Do not reveal the problem to others until it has been resolved.
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam, etc.
We are not part of a cash/bug bounty program but are happy to issue a certificate of recognition to individuals who report security issues responsibly and help us make TMG Security systems more secure.
Contributors – TMG Security Responsible Disclosure Program.
TMG Security would like to thank all individuals who have discovered and reported vulnerabilities in TMG Security Applications as per the responsible disclosure program. We sincerely appreciate the efforts of each individual listed in our wall of fame and we thank them for their technical skills, security knowledge, and constructive engagement with TMG Security. TMG will also provide some swags to the researchers who helped us to build a secure platform.
Scope :-

Note – Any subdomain or asset owned by TMG Security other than the two mentioned above is out of scope and is not eligible for any reward.

Out of scope

out of scope are trivial vulnerabilities or bugs that cannot be abused. The following is a non-exhaustive list of examples of these vulnerabilities:

  • HTTP 404 codes/pages or other HTTP non-200 codes/pages and Content Spoofing/Text Injection on these pages.
  • Automation Scanner Vulnerabilities / CVE’s
  • Fingerprint and other ways to versions are disclosed on common/public services.
  • Disclosure of known public files or directories or non-sensitive information, (e.g. directories set up for downloads).
  • Clickjacking and issues only exploitable through clickjacking.
  • Login / Logout CSRF
  • Open Redirect – Unless it’s escalated to another severe issue.
  • Lack of Secure / HTTP Only flags on non-sensitive Cookies.
  • OPTIONS HTTP method enabled.
  • Weak Password Vulnerability 
  • WordPress Vulnerabilities 
  • Anything related to HTTP security headers, e.g.:
    • Strict-Transport-Security.
    • X-Frame-Options.
    • X-XSS-Protection.
    • X-Content-Type-Options.
    • Content-Security-Policy.
  • SSL Configuration Issues:
    • SSL forward secrecy not enabled.
    • weak / insecure cipher suites.
  • SPF, DKIM, DMARC issues.
  • Reporting older versions of any software without proof of concept or working exploit.
  • Systems and protocols that can be used in DDoS or DoS attacks.

Also, reports that can be considered a beg bounty will not be processed nor responded to.

Rules of engagement

If you think you’ve identified a vulnerability, we’d also very much appreciate it if you:

  • Don’t exploit your finding.
  • Share the information with just us, not other parties.
  • Give us time to analyze the situation and fix the bug.