EcpPro is an application to Manage, Monitor, Cost optimise and Secure all of your Entra ID and Azure Tenants from a single portal

  • Address: SYDNEY NSW 2000 Australia
  • Sales: sales @ ecppro.com
  • Support: support @ ecppro.com
Security at EcpPro

EcpPro is committed to working with security experts around the world to stay up to date with the latest security techniques.

If you have discovered a security issue that you believe we should know about, we'd love to hear from you!

  • EcpPro will not take legal action against users for disclosing vulnerabilities as instructed here.
  • Vulnerability reports will always be responded to as fast as possible—usually within 24 hours.
  • Based on the validity, severity, and scope of each issue, we'll reward you with awesome shtuff (or just cold, hard cash if you prefer).

Program Rules:
  • Testing should be limited to sites and services that EcpPro directly operates. We will not accept reports for third-party services or providers.
  • Don't perform any actions that could harm the reliability or integrity of our services and data. Some examples of harmful activities that are not permitted under this bounty include: brute forcing, denial of service (DoS), spamming, timing attacks, etc.
  • Don't use scanners or automated tools to find vulnerabilities.
  • No information about issues found should be publicly disclosed or shared until we've completed our investigation and resolution.
Out of Scope Vulnerabilities:
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are generally considered out of scope (not an exhaustive list):
  • Account/E-mail enumeration
  • Attacks requiring MITM or physical access to a user's device
  • Brute force attacks
  • Clickjacking
  • Content spoofing and text injection
  • CSRF vulnerabilities
  • Denial of Service attacks where the outcome is resource exhaustion
  • Email SPF, DKIM, and DMARC records
  • Missing HttpOnly/Secure cookie flags
  • Open CORS headers
  • Publicly accessible login panels
  • Reports from scanners and automated tools
  • Self-exploitation (like token reuse and console scripting)
  • Social engineering or phishing attacks targeting users or staff
  • NSFW gating
  • Rate limiting