Security

At Keeping, we consider the security of the software products we develop and our own systems to be very important. Despite our care for security, a vulnerability may still exist.

If you discover a vulnerability in one of our own systems (keeping.nl), we would appreciate it if you let us know so that we can take measures as soon as possible. We would like to collaborate with you to better protect end users, our clients, and our systems.

We aim to resolve all issues as quickly as possible, and we would appreciate being involved in any publication about the issue after it has been resolved.

The outcome of a reported issue cannot be disputed. It is up to Keeping to determine whether a reported issue actually constitutes a risk. There may be situations that, from a business perspective, are considered an acceptable risk.

Software products out of scope

We use third-party software, which does not contain critical data and is sometimes hosted externally. Additionally, Keeping's software products also include apps and extensions. Security notifications for the following:

  • developer.keeping.nl (Developer documentation);
  • status.keeping.nl (Status page, hosted by Atlassian);
  • echo.keeping.nl (Message server).
  • The mobile apps (iOS and Android);
  • Firefox and Chrome extensions;

Are excluded from the disclosure policy / Responsible Disclosure.

We request:

  • To send your findings to [email protected],
  • Only to mention issues that pose an actual high vulnerability or risk to the security of the software;
  • Not to exploit the issue by, for example, downloading more data than necessary to demonstrate the flaw, or by viewing, deleting, or modifying third-party data,
  • Not to share the issue with others until it has been resolved, and to delete any confidential data obtained through the vulnerability immediately after the vulnerability has been closed,
  • Not to use attacks on physical security, social engineering, distributed denial of service, spam, or third-party applications, and
  • To provide enough information to reproduce the problem so that we can resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability are sufficient, but more information may be needed for complex vulnerabilities.

We promise:

  • We will respond within 10 working days of receiving the report with our assessment and an estimated resolution date,
  • If you adhere to the above conditions, we will not take legal action against you regarding the report,
  • We will treat your report confidentially and will not share your personal details with third parties without your permission unless it is necessary to meet a legal obligation. Reporting under a pseudonym is possible,
  • We will keep you informed about the progress of resolving the issue,
  • In publications about the reported issue, we will, if you wish, credit you as the discoverer, and
  • As a token of appreciation, we offer a reward for every report of a previously unknown security issue. The amount of the reward will be determined based on the severity of the vulnerability and the quality of the report, with a minimum of €15 and a maximum of €45. The amount of the reward cannot be disputed.

Exceptions

We do not offer rewards for trivial or non-exploitable issues or issues that have already been reported. Below are some examples of known vulnerabilities and accepted risks for which we do not offer rewards.

  • Issues that are considered an acceptable risk from a business perspective, such as for user-friendly interfaces, workflows, or unnecessary complexity for the end user;
  • HTTP server response with a non-200 status code;
  • Fingerprinting and version banner disclosure;
  • Publicly accessible files and folders containing non-sensitive information – e.g., robots.txt;
  • Clickjacking and related vulnerabilities;
  • Vulnerabilities in front-end third-party libraries such as jQuery;
  • CSRF on logout functions or forms accessible without a session – e.g., a contact form;
  • Presence of 'auto-complete' or 'save password' support functions;
  • Weak CAPTCHA or CAPTCHA bypassing;
  • Brute-force on publicly accessible forms, and 'account lockout' not enforced;
  • Lack of 'Secure' and 'HTTP Only' flags on non-sensitive cookies;
  • Lack of a rate limiter on requests for emails with authorized links and other publicly accessible forms;
  • Lack of a rate limiter on managing access tokens;
  • Lack of a rate limiter on forms and endpoints on non-publicly accessible pages;
  • Workarounds to use Keeping briefly with incorrect payment details;
  • Allowed HTTP requests with OPTIONS method;
  • Username or email address enumeration through brute-force attempts via login error messages or 'forgot password' error messages;
  • Lack of length validation on public forms like email or password;
  • Lack of 2FA for important actions such as deleting an account or organisation, account changes, OAuth modifications, or similar actions;
  • Lack of confirmation prompts, such as re-entering a password or requesting an additional email confirmation, etc.;
  • Missing or misconfigured HTTP and HSTS headers such as: Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP, etc.;
  • Missing or misconfigured Cross-Origin Resource Sharing (CORS) headers;
  • Missing or misconfigured HTTP Strict Transport Security (HSTS) headers;
  • Missing or misconfigured HTTP Public Key Pinning (HPKP);
  • Missing or misconfigured SPF, DKIM, DMARC, BIMI policies;
  • Missing or misconfigured SSL/TLS settings;
  • Vulnerabilities related to third-party services like Cloudflare, Atlassian Statuspage, developer.keeping.nl, etc.;
  • Manipulating request headers such as 'Host', 'Origin', and 'Referer', intending to redirect users to external sites.
  • Manipulating session tokens during login;
  • SSL configuration weaknesses including SSL attacks that are not exploitable externally, lack of SSL 'Forward Secrecy', and supporting insecure cipher suites;
  • Possibility of 'Host' header injection;
  • Content spoofing and text injection on error pages;
  • Reporting old software versions without proof-of-concept or working exploit;
  • Information leakage in metadata;
  • Missing DNSSEC;
  • Missing validation of IBAN numbers or document numbers;
  • Missing enforcement of strong passwords;
  • Expired or inactive domain names;
  • Files (including deleted ones) remaining available in the CDN;
  • Same Site Scripting or use through a localhost DNS rule.
  • Missing or misconfigured Cache-Control headers or persistent login sessions on other devices/browsers after logging out;
  • Lack of mandatory email verification for actions such as registration, account changes, setting up 2FA, and other account changes;
  • Missing validation for the use of '+' in email addresses (e.g., [email protected] for [email protected]);
  • Missing validation of the domain validity of an email address;
  • Lack of a notification email to the old email address when changing it, when the old email address has not yet been confirmed;
  • Lack of a rate limit on settings pages, allowing duplicate settings to be created;
  • Lack of disabling buttons while submitting a form, allowing duplicate settings to be created;
  • All reports related to inviting a new user. Multiple reports have already been received and rewarded for this.
  • All reports made regarding logging in, the forgotten password feature, and similar issues. After all, various reports have already been received and rewards provided for these.
  • Creating invalid links (such as users to tasks) by manually modifying data in the request.

Parts of this text are based on a text written by Floor Terra (Creative Commons Attribution 3.0).