Vulnerability Disclosure Policy

Purpose

As a provider of products and services for many users across the Internet, Tealium recognizes how important it is to help protect the privacy and security of our Customer Data. We understand that secure delivery of our Services is instrumental in maintaining the trust customers place in us and we strive to create innovative products that both serve our customers’ needs and operate in our customers’ best interest. Keeping Customer Data safe and secure is a top priority for Tealium and a core company value. This is in keeping with Tealium’s commitment to Privacy and Security by Design and Default.

Maintaining the security of our Services is paramount at Tealium. We believe responsible disclosure of any security vulnerabilities identified by security researchers is an essential part of that commitment. Responsible disclosure requires mutual trust, respect, and transparency between all members of the security community. Together, we can achieve our common goal.

The security research community regularly makes valuable contributions to the security of organizations and the broader Internet. Tealium recognizes that fostering a close relationship with the security research community will help improve our own security. When participants in our programs have information about a vulnerability in a Tealium web application or Service we welcome the submission of their findings.

 

Scope

This policy applies to all Tealium personnel (including employees, contractors, and applicable third parties) as well as those invited to participate in Tealium’s security research programs (“Participants”). Tealium’s security research programs include, but are not limited to our bug bounty, vulnerability exercises, and penetration tests.

Tealium defines a security vulnerability as an unintended weakness or exposure that could be used to compromise the integrity, availability, or confidentiality of our products, Services, or Customer Data.

We welcome the contributions of Participants and look forward to reviewing the submission of their findings to improve the security of Tealium’s Services. Certain vulnerabilities are not in the scope of this policy. For a list of vulnerabilities not in scope please see the list of Out-of-scope Vulnerabilities.

Applications and Endpoints in Scope
Tealium corporate website tealium.com, Tealium’s iOS and Android SDKs; web application domain tealiumiq.com; tags and tag management code; multi-CDN (“mCDN”) domain tiqcdn.com; APIs as well Customer Data Hub (“CDH”) features and functionality are in scope under this policy.

We encourage the coordinated disclosure of the following eligible web application vulnerabilities:

  • Cross-site scripting
  • Cross-site request forgery in a privileged context
  • Server-side code execution
  • Authentication or authorization flaws
  • Injection Vulnerabilities
  • Directory Traversal
  • Information Disclosure
  • Significant Security Misconfiguration
  • API and endpoint unintended behavior or information disclosure

Not in Scope
Vendors, partners, or contractors that participate in the delivery of the Services, partnership companies and their web assets and affiliates of Tealium are not in the scope.

 

Policy

Participation
Participants may include individuals, organizations, or groups who may participate in a coordinated program. Those parties wishing to participate in Tealium vulnerability disclosure programs may do so by contacting Tealium’s Information Security team at vdp@tealium.com for more details.

Customers, or Customer’s authorized representative, wishing to join the program or to report vulnerabilities should contact the Customer’s account management team at Tealium.

“Safe Harbor”
To facilitate the research to be conducted under this policy, Participants must feel that disclosure would not subject them to penalties. Therefore, one of the most critical components of this policy is a clear, unambiguous commitment that good faith efforts in accordance with this policy will not result in Tealium initiating legal action. Tealium will not initiate legal action against Participants for identifying vulnerabilities or insecurities in our systems as long as they adhere to this policy. Any activities conducted in a manner consistent with this policy will be considered authorized conduct. In general, Tealium’s goal is to create a “safe harbor” that demonstrates good faith and builds trust.

Commitment to Researchers
Trust. We maintain trust and confidentiality in our professional exchanges with Participants. Participants must communicate directly to Tealium on any and all vulnerabilities that they discover and provide Tealium sufficient time and information for our team to validate and address such vulnerabilities. Participants agree to not make any public disclosure of such vulnerabilities or data exposed by the vulnerability.

Respect. We respect the skills of researchers and recognize your contribution for keeping our customers safe and secure. During security testing, we ask that you make every effort to avoid privacy violations, degradation of our user experience, disruption of our production systems, and destruction of data.

Transparency. We will work with Participants to validate and remediate reported vulnerabilities in accordance with our commitment to security and privacy. We request that Participants provide the technical details and background necessary for our team to validate reported issues.

Common Good. We will investigate and remediate issues in a manner consistent with our policies. We ask that Participants join us in protecting the privacy and security of employees, contractors, and applicable third parties by refraining from public disclosure until our team has had time to investigate, validate and remediate the findings.

Eligibility and Responsible Disclosure
To promote the discovery and reporting of vulnerabilities in a safe and responsible manner, Tealium requires that all Participants:

  • Share the security issue with us in detail;
  • Be respectful of our existing applications and their functionality (avoid the use of automated tools that spam or otherwise abuse the systems’ normal functionality);
  • Give us a reasonable amount of time to respond to, mitigate, and remediate a finding before making a coordinated disclosure about it;
  • Not access or modify our data or our customers’ data, without explicit permission of the data owner;
  • Will not target any of Tealium’s customers;
  • Contact us immediately at vdp@tealium.com if you inadvertently encounter data belonging to Tealium or another customer;
  • Not view, alter, save, store, transfer, or otherwise access the data. If you have become aware that you have accessed or stored such data, you must immediately purge any locally stored information upon reporting the vulnerability to Tealium;
  • Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of Tealium Services (including denial of service);
  • Comply with all applicable laws and regulations.
  • Who are customers or partners shall only interact with their own accounts or test accounts for security research purposes.

Tealium reserves the right to disqualify Participants from our programs for violations of the provisions in this policy, and for any irresponsible, disrespectful or disruptive acts or behavior.

Vulnerability Disclosure and Remediation
Process overview:

Submitting a Vulnerability Report
To submit a vulnerability report to Tealium’s InfoSec Team, please utilize the specific details and tools in the program you are participating in or email Tealium directly at vdp@tealium.com.

What we would like to see from you:

  • Well-written reports in English
  • Reports that include proof-of-concept code
  • Reports that include only crash dumps or other automated tool output will most likely not be accepted
  • Reports that include products not on the covered list may be ignored
  • Include relevant information on how you found the bug, the impact, and any potential remediation
  • Maintain confidentiality of disclosures while Tealium investigates, mitigates and remediates

At a minimum, the following information must be included with the initial submission:

  • Vulnerability classification (Critical/High/Medium/Low/Informational)
  • Vulnerability description
  • Steps to reproduce the vulnerability (please be as detailed as possible; include screenshots if applicable)
  • Asset/URL
  • Account name (if applicable)
  • Date and time of testing and discovery
  • Preferred contact method, preferably email (e.g. phone, text, email, instant message)

What you can expect from us:

  • A timely response to your email or submission via the tools (typically within 5 business days)
  • An open dialog to discuss issues
  • Notification when the vulnerability analysis has been completed
  • An expected timeline for mitigation, remediation, patches and/or fixes (usually within 120 days)
  • Technical credit for the discovery after the vulnerability has been validated and fixed

Verification by Tealium
Once the report has been submitted, Tealium will work to validate the reported vulnerability. If additional information is required in order to validate or reproduce the issue, Tealium will work with Participants to obtain it. When the initial investigation is complete, the results will be delivered to the Participant along with a plan for resolution and, if applicable, coordinated public disclosure.

A few things to note about the Tealium evaluation process:

Third-Party Products. In the event that third-party vendors participate in the delivery of Tealium Services, and if a vulnerability is found to affect such third-parties, Tealium will notify the affected third-party. Tealium will coordinate with the third-party and with you. Your identity will not be disclosed to a third-party without your permission. Tealium cannot authorize Participants to test these third-party systems or services.

Confirmation of Non-Vulnerabilities. If the issue cannot be validated, or is not found to be a flaw in a Tealium product, this will be shared with you.

Vulnerability Classification. Tealium uses version 3.0 of the Common Vulnerability Scoring System (CVSS) to evaluate potential vulnerabilities. The resulting score helps quantify the severity of the issue and to prioritize our response. For more information on CVSS, please see the CVSS-SIG announcement.

Tealium is committed to being responsive and keeping you informed of our progress as we investigate, mitigate, and remediate your reported security concern.

Tealium will determine the vulnerability rating in its sole discretion based on the OWASP Risk Rating Methodology and in accordance with Tealium’s Vulnerability Rating and Remediation Policy. Mitigation will be prioritized based on our determination of critical, high, medium, and low risks.

Public Notification
If applicable, Tealium will coordinate public notification of a validated vulnerability with Participants. If we agree that separate statements are applicable, we require that our respective public disclosures be posted simultaneously.

To protect our customers, Participants must not post or share any information about a vulnerability or finding in any public setting until Tealium has researched, responded to, and addressed the reported vulnerability, and informed customers if needed. Also, Participants may not post or share any data belonging to our customers. Addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems.

Tealium public notifications may be in the form of security bulletins, community articles, blog posts or press releases. When relevant, we will include links to co-released Participant announcements in Tealium’s public notification.

Resolution Development
All vulnerabilities must be mitigated and remediated within the parameters set forth in Tealium’s Patch Management Policy. If the InfoSec team decides to deviate from those parameters, mitigating controls that lower the overall risk level may be implemented. Identified and validated findings from reports are rated by Tealium’s InfoSec team in accordance with Tealium’s Vulnerability Rating and Remediation Policy and remediated in accordance with Tealium’s Patch Management Policy and Software Development Policy. Vulnerabilities that may affect Tealium’s customers will be addressed in accordance with Tealium’s Incident Response Policy and Plan.

Fix Release
Mitigation, remediation, or countermeasure will be deployed in a timeline defined by Tealium in accordance with Tealium’s policies.

Post Release
Under some programs, remediation validation may include or require Participant engagement in the remediation validation. In every case Tealium’s InfoSec team will validate the released remediation.