Vulnerability Reporting Policy

At Paperless Innovations, we value the contributions of independent security researchers to internet security. We encourage responsible reporting of any vulnerabilities discovered in our site or applications and are committed to collaborating with researchers to verify and address them.

No Legal Action for Responsible Disclosure

Paperless Innovations pledges not to initiate legal action against security researchers who engage in responsible testing and reporting in accordance with this policy. We strongly encourage you to contact us before conducting any testing if you are unsure whether your planned activities might impact our systems or users. By working together, we can establish clear boundaries and a collaborative approach that allows for thorough security testing while protecting our production environments, stakeholder agreements, and service level commitments.

Please Note:

• Responsible Disclosure: Researchers who strictly adhere to the guidelines of this policy—using designated test environments, test accounts, and refraining from harmful activities—will be protected from legal action.
• Prohibited Harmful Testing: Any testing that results in data loss, system downtime, unauthorized access, or any form of legal complications (including but not limited to degradation of service or disruption of stakeholder operations) will be considered outside the scope of authorized activity. In such cases, Paperless Innovations reserves the right to take legal action.
• Collaborative Approach: We love to support and contribute to the security community. If you are interested in testing that may fall into a gray area or require a broader scope of engagement, please reach out to us first. Together, we can discuss a coordinated and safe approach that benefits both parties.

Testing for Security Vulnerabilities

Whenever a Trial or Developer Edition is available, please conduct all vulnerability testing against such instances. Always use test or demo accounts when testing our online services. Please refrain from testing on production systems unless you have explicit written authorization.

Reporting a Potential Security Vulnerability

To report security or privacy issues that affect Paperless Innovations products or web servers, please contact: security@act.us

You can use Paperless Innovations’ PGP key (see below) to encrypt sensitive information sent via e-mail. When we receive your email, we will send an automatic acknowledgement. If you do not get this email, please check the email address and send it again. We will follow up with additional communications if further information is needed to investigate a security issue. Please provide full details of the suspected vulnerability so that the Paperless Innovations security team may validate and reproduce the issue.

Paperless Innovations prioritizes customer protection and generally does not disclose, discuss, or confirm security issues until a full investigation has been conducted and any necessary patches or releases have been made available.

Encrypt with PGP

When sending sensitive information to Paperless Innovations, we recommend encrypting your email using PGP. This sensitive information might include, but is not limited to:

• Vulnerability details: Information regarding how a vulnerability was discovered, including potential attack vectors.
• Personally Identifiable Information (PII): Such as names, addresses, Social Security Numbers, or other data elements that can uniquely identify an individual.
• Authentication Data: Credentials, tokens, session cookies, or other sensitive authentication artifacts.
• Technical Details: System logs, error messages, configuration files, or diagnostic information that may include sensitive data.
• Protected Health Information (PHI): If applicable, any data related to health that requires protection under relevant laws.

You can download free software for generating PGP keys from GnuPG Downloads.

Paperless Innovations PGP Key

The Paperless Innovations PGP key is rotated annually. When we generate a new key, it will be available from this web page.

Prohibited Security Research and Testing Practices

While we encourage you to discover and report vulnerabilities in a responsible manner, the following actions are expressly prohibited. These restrictions are in place to protect our systems, ensure service availability, and honor our commitments to stakeholders:

• Negative Impact on Services or Users:
  • Performing actions that may negatively affect Paperless Innovations or its users (e.g. spam, brute force attacks, Denial of Service).
• Unauthorized Data Access or Manipulation:
  • Accessing, or attempting to access, data or information that does not belong to you.
  • Destroying, corrupting, or attempting to destroy or corrupt data or information that does not belong to you.
  • Testing that could inadvertently expose or compromise the data of other users.
• Physical and Electronic Attacks:
  • Conducting any kind of physical or electronic attack on Paperless Innovations personnel, property, or data centers.
  • Social engineering any Paperless Innovations service desk, employee, or contractor.
• Testing on Production Environments:
  • Conducting vulnerability testing on live production environments. Always use test or demo accounts and environments provided for testing purposes.
• Prohibited Automated Testing:
  • Automated Vulnerability Scanning: The use of automated tools—including scanners, fuzzers, or similar technologies—that might generate excessive load or interfere with our services is prohibited on production systems.
  • Network Mapping & Port Scanning: Unauthorized network mapping, port scanning, or enumeration that may expose system architecture details or impact system availability is not allowed.
• Third-Party and Integration Testing:
  • Testing that extends to third-party services, APIs, or integrations that interact with Paperless Innovations’ systems is prohibited unless you have explicit authorization.
• Exploitation and Proof-of-Concept Attacks:
  • Any attempt to exploit or demonstrate vulnerabilities in a manner that could lead to data loss, degraded performance, or interruption of service is prohibited. Limit testing to observation and reporting.
• Interference with System Operations:
  • Testing that may cause data corruption, accidental deletion, unauthorized access, or alteration of system operations is strictly prohibited.
  • Generating excessive or repeated requests (e.g., repeated login attempts or requests designed to overwhelm the system) that may degrade the performance of our services is not allowed.
• Bypassing Security Mechanisms:
  • Attempts to bypass or circumvent authentication, authorization, or other access control mechanisms without explicit permission are prohibited.
• Legal and Contractual Violations:
  • Violating any laws or breaching any agreements (including those with stakeholders or service level agreements) in order to discover vulnerabilities is strictly prohibited.

Our Commitment to the Research Community

If you responsibly submit a vulnerability report, the Paperless Innovations security team and associated development organizations will use reasonable efforts to:

• Respond in a Timely Manner: Acknowledge receipt of your vulnerability report.
• Provide an Estimated Time Frame: Inform you of the timeline for addressing the reported issue.
• Notify on Resolution: Let you know when the vulnerability has been fixed.

We are happy to thank every individual researcher who submits a vulnerability report that helps improve our overall security posture at Paperless Innovations.

Thank you for helping us maintain and improve the security of our systems. Your responsible disclosure makes a critical contribution to protecting our users and infrastructure.