How to report security vulnerabilities?

[Talos]

Dear PDF-XChange

The Cisco Talos team found a security vulnerability affecting PDF-XChange Co. Ltd products. As this is a sensitive security issue, this message is to request a PGP key for further communication, if available. Please let us know the correct email address for reporting security issues.

For further information about the Cisco Vendor Vulnerability Reporting and Disclosure Policy please refer to this document which also links to our public PGP key. https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html

[Paul - PDF-XChange]

Hi, Talos

please write to support@pdf-xchange.com with this request.

[Talos]

Hi Paul

Thank you for the reply. I tried 3 times over the past weeks, and our emails always ended up being blocked. The subject we sent was "TALOS Security Advisory for PDF-XChange Editor (TALOS-2025-2171)". What subject will get me past the filter?

Alternatively, please email us at (redacted)

Thanks!

[Daniel - PDF-XChange]

Hello, Talos

Are you seeing a report identifying what exactly caused the mail to be blocked? It should include some details about the reason the block occured. We do not have any filters which should block an email with that subject line, but if you are worried about that, you could try something more generic, like "Security issue in Editor"
Are there perhaps attachments in your emails which could have an effect? While our mail server should accept nearly all safe extensions, including archival formats, I know that many companies have filters on their end, to prevent employees from sending outgoing mail with certain types of attachments. Sometimes PDF files are included in that list.

If your report did include any attachments, please try sending again, without them included, we can provide you with a direct upload link if those files are necessary to identify the cause of the issue.

Kind regards,

[Talos]

Hello Daniel

The email so far is all text without any attachments, as we are asking for the security contact to send the report to. We do this on a daily basis to various vendors and it works well on our end. The reply email we received from our mailer daemon says:


The following message to <support@pdf-xchange.com> was undeliverable.
The reason for the problem:
5.4.7 - Delivery expired (message too old) 'EOF'

Any idea why that might be the case? I tried three times over several weeks since mid April

[Daniel - PDF-XChange]

Hello, Talos

That is very strange, in the meantime, can you please export both the original email, and the delivery failure, and upload them here for me?
https://files.pdf-xchange.com/s/zQzPrPncqH4j2tf
Please let me know once the upload is complete.

I will make sure that our Dev team sees the report, and our mail team investigates delivery failure so this is not an issue in the future.
I will also send you an email from my personal account requesting a reply with the same information shortly, to see if the issue lies in our support box specifically, the mail server itself, or elsewhere.

Kind regards,

[Daniel - PDF-XChange]

Hello again Talos

I have not seen an email reply from you or any files uploaded to our file-server since my last post. We are planning a release for next week, and the Dev team is eager to see this vulnerability report as soon as possible so we can address it with that release.

If you find any spare time to do so, we would greatly appreciate if you could upload the vulnerability report email itself, as soon as possible.
The Mail delivery failure mail is secondary at this point, and can be addressed with somewhat more leisure, though we would of course appreciate both whenever possible.

Kind regards,

[Talos]

Hello Dan

I just sent out the report to your address by email. I hope it works this time.

Best,

Martin

[Daniel - PDF-XChange]

Hello, Talos

I am afraid that no email has arrived as of yet. To "cut out the middle man" can you please upload the emails you have sent as *.eml or *.msg export files to this URL:
https://files.pdf-xchange.com/s/zQzPrPncqH4j2tf

Then post here letting me know when the upload is complete?

Kind regards,

[Talos]

Hello Dan

I noticed this morning that the last 2 emails didn't make it either. I have now uploaded the vulnerability report to the link you provided(twice actually I assume). It's an encrypted zip file. The password is "Talos".
This should really work now.

Best,

Martin

[Daniel - PDF-XChange]

Hello, Talos

Thank you for that! I see the text and sample file have been uploaded, and I passed this along to Ivan for review and resolution.

Moving back to the email issue. Our mail server admin very much needs to see the actual error report messages you are getting, so that we can compare and figure out why your messages are not arriving by email. We would much rather cases like this one be handled via that medium, but to do so we need to resolve the issue and ensure you can still send us emails.
Can you please also export the bounce/delivery failure messages, and upload those directly to the same link as before?

Kind regards,

[Talos]

Hi Dan

Our system sends emails to all sorts of vendors, big and small, and it typically works. I've opened a case with operations on our end today to figure out where the problem is, and what makes your mail system 'special'. So far emails to you bounce with a timeout after several days, when I get them back from our email server. I'll let you know if it's on our end, or not.

Martin

[Daniel - PDF-XChange]

Hello, Talos

Thank you very much, I will keep an eye on this topic in anticipation of your report.

Kind regards,