Cognizant

Cognizant recognizes how important the security community is in helping to keep our products, solutions, systems, tools and ultimately our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.

The following Responsible Disclosure Guidelines (“Guidelines”) describe the voluntary program through which Cognizant will engage with parties who identify and report to Cognizant potential security vulnerabilities. Please note that Cognizant is not offering compensation in exchange for information pertaining to security vulnerabilities under this or any other bounty or responsible disclosure program.

The Cognizant Cybersecurity Incident Response Team (CSIRT) handles incident response for Cognizant and coordinates internally as appropriate.

Cognizant will aim to respond to new reports within 7 business days. Please note, report status marked as triaged is subject to change pending our team's final analysis.

Customers and other entitled or authorized users of a Cognizant product or solution should contact the respective Cognizant Technical and Solution Support teams to report any issues discovered within Cognizant products. If the Technical Support and Solution Team determines that a reported issue is a security vulnerability, it will contact Cognizant CSIRT, as needed.

#Program Guidelines

• Do not cause harm to Cognizant, our customers, our business partners, our affiliates, or others;
• Do not conduct social engineering, including the use of spear phishing tactics, of Cognizant personnel, clients, customers, business partners or contractors.
• Do not impact the integrity or availability of any systems or users or the operation of our applications, systems or services, including through any type of brute force attacks, any types of denial of service attacks, destruction of data, and interruption or degradation of our services;
• Do not publicly disclose or share with a third party any potential vulnerabilities reported under this program without receiving our express written authorization in accordance with the confidentiality provision below.
• Do not compromise the privacy or safety of our employees, customers, or users. More precisely:
  • Do not deliberately access user data, including but not limited to personally identifiable information (PII) and personal health information (PHI);
  • Do contact us immediately if you inadvertently encounter user data, including but not limited to PII and PHI;
  • Do not view, alter, save, store, transfer, or otherwise access such data;
  • Do immediately purge any local information upon reporting the vulnerability to Cognizant, and provide Cognizant with evidence that you deleted the data; and
  • Do act in good faith to avoid privacy violations.
• Do provide a clear fact-based description of the vulnerability, including the target, steps, tools, and artifacts used during discovery (the detailed summary will allow us to reproduce the vulnerability). Please include a description and explanation of the security issue identified and proof of concept (if applicable);
• Do not include any information that may identify an individual (such as a name, contact information, or other similar information) in any attachments included in your submission and vulnerability report;
• Do not conduct any form of login (interactive or system) with any credentials that may have been obtained. If any credentials have been obtained, then do report this as a credential leak and do specify the source, where the credential(s) are or were found, how it was found, what the believed impact is (based on mode of discovery), and detailed context about the uncovered leak.
• Do not use any obtained credential to “pivot” or test the credential against any system, service, or application, Cognizant, or non-Cognizant owned.
• Do not alter, remove, or upload files in any situation and/or part of any remote code execution (RCE) exploit. Do not read sensitive system files or modify file permissions in any situation. Furthermore, you are not permitted to interact with the underlying OS or services or any other components such but not limited to databases, jump servers, application servers, etc.
• Do not maintain any type of establishment or persistent connection mechanisms, including but not limited to netcat, ssh reverse tunnels, etc.
• Cognizant does not participate in compensated bug bounty awards at this time;
• When submitting a report, you acknowledge you are subject to HackerOne's Disclosure Guidelines (as modified by this Program Policy including but not limited to disclosure timelines), the HackerOne Finder Terms and Conditions and the HackerOne General Terms and Conditions; and
• Cognizant may choose to disregard submissions by parties who submit a high volume of low quality, incomplete, and/or non- actionable reports;
• Do comply with all applicable laws.
• Cognizant does not allow disclosure of findings.

#Scope

Please note that the following Companies are also in scope of this program:

• 10th Magnitude
• Advanced Technology Group
• Brilliant Service *Belcan
• Contino
• DevBridge
• HUNTER Technical Resources
• LEV+
• Magenic
• Matterway
• Mirabeau
• Mobica
• Netcentric
• NewSignature
• Servian
• Softvision
• TMGHealth
• Trizetto Provider Solutions

#Out of Scope Submissions

####The following submissions are not accepted as part of this program. All submissions must demonstrate a security impact and/or a vulnerability.

1. Low quality submissions or a “data dump” from automated tools or scans. Such submissions will be disregarded.
2. Submission of issues without a clearly stated and identified security impact and vulnerability.
3. Speculative reports about and/or containing theoretical damage without tangible and hard evidence or information of substance indicating a true attack path and exploitability.
4. Reports of insecure SSL / TLS ciphers without a working proof of concept. Reports from TLS / SSL scanning sites is not adequate and are considered a scan related data dump.
5. Self-exploitation or attacks within a logical suitable position. i.e. self-application cookie recycling / re-use attacks.
6. Open ports which do not lead directly to a vulnerability.
7. Best practice / hygiene recommendations without tangible risk identified including a working concept.
8. Presence of autocomplete attributes on a web application / form.
9. Forms missing CSRF tokens without evidence of the actual CSRF vulnerability.
10. Self cross-site scripting (XSS) vulnerabilities without evidence on how the vulnerability can be used to attack another user.
11. Distributed or non-distributed Denial of Service attacks. Submissions of vulnerabilities showing an attack “may” occur will be reviewed provided a vulnerability with working details are part of the submission. Working details is a paper review not a logical / actual test. Do not perform any type of DoS tests or simulations.
12. Simple submissions of pure reconnaissance data. i.e. banner grabbing issues (figuring out what web server is used etc.).
13. Account oracles.
14. Our policies or configurations and/or the presence or absence of our SPF / DMARC records.
15. Physical attempts against any Cognizant property.

#Third Party Software, Services, and Domains

Please also note that security issues found in third-party assets which are not managed by Cognizant are considered out of scope and should be reported to the affected party directly. When issues reported to the Cognizant program originate in a different vendor's service, Cognizant reserves the right to forward submissions to the affected party.

#Confidentiality

Any information you receive or collect about us, our affiliates, partners, or any of our users, employees, customers and clients, or agents in connection with the Responsible Disclosure Program (“Confidential Information”) must be kept confidential and only used in connection with the Responsible Disclosure Program. At this time, Cognizant is not utilising HackerOne Disclosure or participating in any disclosure options outside of HackerOne. Please abide by HackerOne's Disclosure Guidelines in all respects not discussed herein.

#Legal Notice

You must comply with all applicable laws and regulations in connection wth your security research activities or other participation in the Responsible Disclosure Program. By submitting a vulnerability report to Cognizant, you grant to Cognizant, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.

#Safe Harbor

####When you comply with these Guidelines in all respects, Cognizant will not pursue a civil action against you related to your research that falls within these Guidelines.

Thank you for helping to keep Cognizant, our internet presence, and our customers safe! It is greatly welcomed and appreciated.