Given all the perks of internet usage and information technology, we as advocates of cloud accounting software Xero truly understands how it’s indeed risky to go online – whether you’re playing, shopping, running your business, or simply checking your email. There’s always that imminent danger of having your money or sensitive information stolen by clever hackers, scammers, and cyber criminals.

That is why, all of us here at Enterprise Global are truly dedicated to protect your online safety. Our accounting partner, Xero, provides multiple layers of protection for every single financial and personal information you entrust us with. Xero constantly update its online security systems to assure you that the cloud accounting software is safe and secure for you to use.

Moreover, since computer and online security is constantly changing and developing, there’d always be what we call “vulnerabilities”. These are weaknesses that may allow attackers (hackers and cyber criminals) to reduce any system’s data protection and information security assurance. Hence, it is sometimes referred to as a security risk.

To counter and fight those risks, Xero proudly implements a responsible or coordinated vulnerability disclosure program. Want to know more how this can help protect you and at the same time secure your business’ sensitive information? Read up and we’ll discuss it here (without too much of the technical jargon). Hopefully after this, you’d be able to understand how Xero goes all the way when it comes to providing you online safety.

How did Xero come up with this?

Just like what we have mentioned, we fully support the online community in its endeavor to make the internet a safer place for everyone. Because of that, Xero worked with New Zealand’s Internet Task Force (NZITF) to make sure that its system is completely robust and secure to protect all your data. Thus, it decided to implement a coordinated vulnerability disclosure program.

What Coordinated Disclosure Program really is…

In layman’s terms, coordinated disclosure is one way for organizations and finders to work together so that they could easily find, investigate, and fix IT vulnerabilities. And what’s good about this is that, under the NZTIF’s Disclosure Guidelines, all parties involved must act in good faith to be able to deal with these vulnerabilities effectively. Simply put, to constantly provide security to your information, responsible and coordinated disclosure must be done to find new vulnerabilities and fix them.

How does Xero’s program work?

Generally, when security issues and vulnerabilities are detected by researchers or an organization’s security team, these must be reported to Xero’s support team. So if you decide to do so, make sure that you disclose the vulnerabilities in a responsible manner (plus test accounts are used instead of accessing real private information). Should you be interested in participating, here is the extent to which the Xero team implements the coordinated disclosure program:

Xero is after possible issues which include but are not limited to:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Remote Code Execution (RCE)
  • Unauthorised Access to other organisations data within Xero

We are particularly interested in issues related to the following sites:

  • go.xero.com
  • my.xero.com
  • login.xero.com
  • connect.banking.xero.com
  • payroll.xero.com

We are also interested in vulnerabilities in the following applications:

  • Xero for Android
  • Xero for iOS

Please refrain from accessing private information (use test accounts instead), performing actions that may negatively affect Xero users (spam, denial of service), or sending reports from automated tools without verifying them.

The following issues are outside the scope of our white hat program:

  • Issues related to software or protocols not under Xero’s control
  • Reports from automated tools or scans
  • Social engineering of Xero staff or contractors
  • Any physical attempts against property or IT infrastructure belonging to Xero or any of our IT hosting and network service providers
  • Attacks requiring physical access to a user’s device
  • Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
  • Login/logout CSRF
  • Invalid or missing SPF (Sender Policy Framework) records
  • Reports of spam or phishing
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  • Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages

Permission is required from the Xero Security Team before using automated tools or scans, performing brute force attacks, or denial of service. Any attacks which affect other users or infrastructure will be outside these guidelines.

What we love about Xero is its proactive approach to solve the problem even before it affects users. If you’re someone looking at using or trying Xero or hiring a firm that uses this cloud accounting software, you should understand that the Xero Security Team openly supports any endeavor to strengthen its online security. And so, online or security issues should not stop you from trying out or seeing the benefits that Xero can bring you and your business.

References:

https://www.xero.com/sg/about/security/

http://www.nzitf.net.nz/pdf/NZITF_Disclosure_Guidelines_2014.pdf

https://hackerone.com/xero

Enquire

Leave a Reply

Your email address will not be published. Required fields are marked *