RPost is a global leader in secure and certified electronic communications, built upon its patented RMail®, RSign®, and Registered Email™ delivery proof, email encryption, e-security, and e-signature technologies. Millions of users have enjoyed RPost services in more than 100 countries, since 2000.
RPost accepts reports of any vulnerability of our services.
RPost’s Vulnerability Disclosure Program initially covers the following products:
- RMail® Registered Email™ service
- RMail® encrypted email service
- RMail®, RSign®, RForms™ e-signature services and features
- RMail Gateway™ services
- RMail® e-security and file share services and features
Researchers who submit a vulnerability report will be given full credit in RPost’s regularly published security bulletins and on the RPost Website if the report issue merits an article.
The RPost corporate entities and affiliates will not engage in legal action against individuals who submit vulnerability reports for their activities in identifying and reporting the vulnerability, such activities consisting of:
- Engaging in the testing of systems/research without harming RPost or its customers.
- Engaging in vulnerability testing within the scope of our vulnerability disclosure program that do not diminish services availability to customers.
- Testing on products without affecting customers, or after receipt of permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
- Adhering to the laws of their location and the location of RPost corporate entities and affiliates. For example, violating laws that would only result in a claim by RPost (and not a criminal claim) may be acceptable as RPost is authorizing the activity (reverse engineering or circumventing protective measures) to improve its system.
- Refrain from disclosing vulnerability details to the public before a mutually agreed upon timeframe expires.
How to Submit a Vulnerability
Vulnerability Reports should be submitted to firstname.lastname@example.org. The report email should:
- Include “Vulnerability Report” in the subject line.
- Include contact information for the person/organizations submitting the report.
- Identify the RPost service in which the vulnerability was discovered.
- The time and date of the testing that revealed the vulnerability.
- Describe the nature of the vulnerability in sufficient detail to allow RPost’s Security team to replicate the vulnerability.
- If possible, suggestions for possible remediation of the vulnerability.
RPost will not accept a vulnerability report unless it contains information sufficient for RPost’s security team to duplicate the vulnerability. If the vulnerability is triggered by a particular format or form of message or attachment, a copy of the relevant message or attachments should be included. If the vulnerability was detected using a password protected RPost service, the report should include the username under which the tests were conducted.
Researchers reporting a vulnerability may expect:
- A timely response to your email.
- After analysis, a report on what steps RPost has taken or plans to take to remediate the vulnerability.
- Public credit after the vulnerability has been validated and fixed if the reported issue merits an article.