Coordinated Vulnerability Disclosure / Responsible Disclosure


Coordinated vulnerability disclosure Policy (NL)


COORDINATED VULNERABILITY DISCLOSURE POLICY (ENG)
 

At Conclusion, we are committed to keeping our systems, network and product(s) secure. Despite the measures we take, the presence of vulnerabilities will always be possible. When such vulnerabilities are found, we’d like to learn of them as soon as possible, allowing us to take swift action to improve our security.

 

Conclusion kindly request you to:

  • Submit your findings through the 'Coordinated Vulnerability Disclosure report' option in this online form as soon as possible;
  • Provide us with adequate information to enable us to investigate the vulnerability properly. We need to be able to efficiently reproduce your actions; at least an IP/URL and a description of the vulnerability;
  • Provide us with enough information to contact you; i.e. telephone number or email address;
  • Refrain from sharing your observations with others until the vulnerability has been solved;
  • Act responsibly with your knowledge on the vulnerability; do not perform any actions that go beyond what is necessary to demonstrate the flaw.

 

Always avoid to:

  • Use denial-of-service, social engineering or any other interruption of our services;
  • Copy, change or delete our data;
  • Make changes to a system;
  • Install malware;
  • Use “brute force” techniques

 

What to expect from us:

  • If you comply with the conditions above, following your report Conclusion will not pursue legal action towards you;
  • Conclusion will confirm the receipt of your report within 72 hours;
  • You will receive our technical appraisal of your report within 30 days and subsequently instruct you on the ‘black out period’ required to deal with the vulnerability if required. During this period the information may not be shared by you with others’;
  • Conclusion will handle your report as ‘confidential’, respecting your privacy unless we are legally required to disclose information to authorities;
  • Conclusion offers you a token of appreciation for your efforts in working with us to improve cybersecurity. As a reference you will find some examples of our ‘bounty assessment criteria’ below.

 

Bounty Assessment Criteria

Please note that Conclusion technical staff will assess and categorize your

report, considering potential impact in the relevant context. Their assessment is not open for debate. We will only reward the first reporter of a vulnerability; duplicate reports will not be rewarded.

 

Category 1:

Here are some examples of critical vulnerabilities which we will reward with a Conclusion promotional article like a t-shirt or polo. Your name will, with your consent, be placed on our “Coordinated vulnerability disclosure Wall of Fame” and we will provide you with a personalized “Certificate of Appreciation”:

 

Access to internal systems, Access to sensitive business information, Access to privacy (personal) data, Remote code execution, SQL injection, Significantly broken authentication or session management, Stored XSS, CSRF and Privilege Escalation on critical functionality, Session takeovers

 

Category 2:

Here are some examples of vulnerabilities which we will reward with adding your name, with your consent, to the “Coordinated vulnerability disclosure Wall of Fame” and we will provide you with a personalized “Certificate of Appreciation”:

 

XSS (or a behavior) where you can only attack yourself, XSS on pages where admins are intentionally given full HTML editing capabilities (such as custom theme editing), open or covert redirects. direct object references to non-sensitive data, misuse of password recovery tooling to retrieve user account information, Access Control Bypass, Open URL Redirection, Directory Traversal, missing flags or settings in email servers or DNS records, missing HTTP headers without practical security impact, missing 404 pages, Brute-force/Rate-limiting/Velocity throttling and other denial of service-based issues, Clickjacking, Content spoofing issues without branding CSS. Cookie flags, Issues where the fix only requires a text change, Login/Logout CSRF, Malicious attachments on file uploads or attachments, Missing additional security controls, such as HSTS or CSP headers, Mobile issues that require a Rooted or Jailbroken device, Password recovery policies, such as reset link expiration or password complexity, Reflected File Download (this may be rewarded in the future, but is currently out of scope), SPF, DKIM, DMARC issues, IIS tilde directory enumeration, misconfigured debugging error pages or other method of retrieving information about file existence on a server without actual access to the contents of these files.

WALL OF FAME

 

Category 1 reporters / Categorie 1 melders

  • Kunal Bahl
  • Patrik Fehrenbach (cid: 719df11a-80b9-4860-93f2-7ca009c205e4)
  • Abhishek Misal (cid:7485f5ca-2155-435c-9b7d-3e4d09b2ce33)

 

Category 2 reporters / Categorie 2 melders

  • Abhishek Misal
  • Shubham Maheshwari
  • Zawadi Done
  • Ratnadip Gajbhiye
  • Pal Patel
  • Nitish Sharma
  • Ketankumar B. Godhani
  • S. Naveen Kumar (cid: b91aeefa-20f5-4312-85de-24980a60dcaa)
  • Naveen Kumar (cid: b91aeefa-20f5-4312-85de-24980a60dcaa)
  • Ratnadip Gajbhiye (cid: 92897de0-e63b-4b46-9640-7e877cd3ffad)
  • Salman Sajid Khan (cid: 08311293-4eeb-440c-a303-a8e35c153ce1, ea4e4ed6-7938-412b-8eaa-3d119a6b11ad, 70e180a8-f77c-4d8f-9161-902f8047fa3f)
  • Mohammad Abdullah (cid: d61d1ff4-bd6a-42d8-80ea-188cb4e9a0e3)
  • Ismail Tasdelen (cid: 4de2c3b8-85b2-4a79-b9f0-55c742aaf598)
  • Pranshu Tiwari (cid: a7160136-cd6e-4024-b6ca-1508a2a9760c, da019fd3-81de-4570-9ba9-a2e2cb1bbf01)
  • Ashish Kunwar (cid: bff96668-2dd0-4c01-af20-105ca9c57a52)
  • Amit Kumar (cid: 913b5736-e127-429e-bffc-8aadc5ef8846)
  • Rohit Gautam (cid: 2eaf9ec3-739d-48dd-924c-6722bd1280b6)
  • Pradipta Das (Guru Nanak Institute of Technology, Kolkata)(cid: 3e10f6d5-52ff-46b0-9de8-02fbeba96c82)
  • Chetan Tiwari (cid: 82bbc686-d32c-4ee0-a66e-5b4fe8cc58bb)
  • Prabhakar Damor (cid: bb83bc04-545b-4499-b228-07168a14434e, 76aa46f9-731a-4702-8a52-50e071baa411)
  • Hritik Sharma (cid: e6db237d-a7b5-4f7e-ac59-08f3ad1ec0a6)
  • B. Dhiyaneshwaran (cid: e2e04a18-a6a0-41ad-b059-a5704671c262)
  • Mohammed Adam (cid: d6e9a91a-e2cd-4b06-aa65-64a9bfd7172e)
  • Rishabh cyb3rlant3rn (cid: 48f35772-76c5-41b0-b5b2-c69a3e3bfd14)
  • Muhammed Ashmil (cid: 47a087b5-b0ed-40d9-b825-02f4796bd038)
  • Sachin Gupta (cid: 1b2e61d2-00a9-4bea-b2e6-e03f54fee727)
  • Aamir Usman Khan (cid: bb46561d-40e8-499a-b367-035395e1a1ed, 4ffe8c66-a039-4526-ac07-6b19730df03e)
  • Umesh Prakash Jore (cid: e4ec793c-ce0b-4e08-836c-ecc199a5dfa8)
  • Kamran Saifullah (cid: 8873267a-570d-4a83-8ac0-c0aacee4a34e, 1300afb0-881a-4309-b57f-4e29a5f3e11f)
  • Blindu Eusebiu (cid: ac023f8a-0cef-447a-9570-c521d980c0ea)
  • Ashish Kamble (cid: 827dc903-d42e-48d5-8dc3-d77dec2c1d34)
  • Samet ┼×ahin (cid: eed3351a-259a-4fdd-b261-c4ec80539462)
  • Jayesh Patel (cid: 3fe573cb-c1d5-4ee8-9638-3be6089afc4c)
  • Sabeer Bijapur (cid: 4d5bff41-912c-40c6-af7c-6e67f4b42081)
  • Aditya Kabra (cid: ebac5b23-6cfc-4dd4-a37c-e1989060793c)
  • Mustafa Diaa (cid: 968ac346-4556-4f83-abdd-abb6090c62ee)
  • Kunal Khadse (cid: 33d5c253-f648-428b-b67b-66cbfeba579c)
Paul Oor
Een ding is zeker.
Er kan meer dan je denkt.
Bel Paul Oor +31 (0)6 82 33 18 57