Vulnerability Disclosure Policy

EDAS Conference Services (EDAS), a provider of services for scientific
conferences, is committed to ensuring the security and privacy of our
users. Towards this end, EDAS is now formalizing our policy for
accepting vulnerability reports in our service. We hope to foster an
open partnership with the security community, and recognize that the
work the community does is important in continuing to ensure safety
and security for all of our ussers. We have developed this policy to
both reflect our corporate values and to uphold our legal
responsibility to good-faith security researchers that are providing
us with their expertise.

Scope

EDAS Vulnerability Disclosure Program initially covers the following sites: https://*.edas.info

Researchers that submit a vulnerability report to us, once accepted and validated by our
product security team, will be given full credit on our website.

Legal Posture

EDAS Conference Services will not engage in legal action against
individuals that submit vulnerability reports through our
vulnerability reporting mechanism. We openly accept reports for the
currently listed EDAS sites. We agree not to pursue legal action
against individuals who:

• Engage in testing of systems and research without harming EDAS or
  its users, including refraining disclosing non-public information
  about these users.

• Engage in vulnerability testing within the scope of our
  vulnerability disclosure program.

• Test on services without affecting users, and receive permission
  and consent from users before engaging in vulnerability testing
  against their EDAS accounts.

• Adhere to the laws of their location and the location of EDAS.
  For example, violating laws that would only result in a claim by EDAS
  (and not a criminal claim) may be acceptable as EDAS is authorizing
  the activity (reverse engineering or circumventing protective
  measures) to improve its system.

• Refrain from disclosing vulnerability details to the public before
  a mutually agreed-upon timeframe expires.

How to Submit a Vulnerability

To submit a vulnerability report to the EDAS Security Team, please
use [https://edas.info/help.php](the help form).

Report Acceptance Criteria

We will use the following criteria to decide whether or not to
accept the report. Report declines mean that the report was not of
sufficient quality or was out of scope.

What we would like to see from you:

• Well written reports in English will have a higher chance of being accepted.

• Reports that include proof of concept code, URLs or form data will
  be more likely to be accepted.

• Reports that include products not on the covered list will most
  likely be ignored.

• Include how you found the bug, the impact, and any potential
  remediation.

• Consideration for vulnerabilities that may have safety, privacy and
  operational stability impact.

• Any plans for public disclosure.

What you can expect from us:

• A timely response to your email (within 2 business days).

• An open dialog to discuss issues.

• Notification when the vulnerability analysis has completed each
  stage of our review.

• An expected timeline for patches and fixes (usually within 30
  days).

• Credit after the vulnerability has been validated and fixed.

• If we are unable to resolve communication issues or other
  problems, EDAS may bring in a neutral third party (such as CERT/CC or
  ICS-CERT) to handle the vulnerability, or may encourage you to
  disclose the vulnerability publicly.

Versioning

This document was created 05-March-2019. Any updates will be noted
below in the version notes.

Acknowledgments

The following individuals have contributed disclosures:

• Naveen Kumar

• Cédric Lissanon https://twitter.com/Sancelisso

• Harinder Singh (https://www.linkedin.com/in/lambardar/)

• Ramansh Sharma

• [https://www.linkedin.com/in/r0x5r/](Rohit Sharma)

We appreciate their contributions to making EDAS more secure.

Last updated
11/22/2025 17:21:26