Disclosure Policy

At Keeping, we consider the security of the software products we develop and our systems to be very important. Despite our care for security, a vulnerability may still exist.

If you discover a vulnerability in one of our own systems (keeping.nl), we would appreciate it if you let us know so that we can take measures as soon as possible. We would like to collaborate with you to better protect end users, our clients, and our systems.

We aim to resolve all issues as quickly as possible, and we would appreciate being involved in any publication about the issue after it has been resolved.

The outcome of a reported issue cannot be disputed. It is up to Keeping to determine whether a reported issue actually constitutes a risk. There may be situations that, from a business perspective, are considered an acceptable risk.

Software products out of scope

We use third-party software, which does not contain critical data and is sometimes hosted externally. Additionally, Keeping’s software products also include apps and extensions. Security notifications for the following:

  • developer.keeping.nl (Developer documentation);
  • status.keeping.nl (Status page, hosted by Atlassian);
  • echo.keeping.nl (Message server);
  • The mobile apps (iOS and Android);
  • Firefox and Chrome extensions;

Are excluded from the disclosure policy / Responsible Disclosure.

We request:

  • To send your findings to [email protected]. Encrypt your findings using our PGP key to prevent the information from falling into the wrong hands,
  • Only to mention issues that pose an actual high vulnerability or risk to the security of the software;
  • Not to exploit the issue by, for example, downloading more data than necessary to demonstrate the flaw, or by viewing, deleting, or modifying third-party data,
  • Not to share the issue with others until it has been resolved, and to delete any confidential data obtained through the vulnerability immediately after the vulnerability has been closed,
  • Not to use attacks on physical security, social engineering, distributed denial of service, spam, or third-party applications, and
  • To provide enough information to reproduce the problem so that we can resolve it as quickly as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability are sufficient, but more information may be needed for complex vulnerabilities.

We promise:

  • We will respond within 5 days of receiving the report with our assessment and an estimated resolution date,
  • If you adhere to the above conditions, we will not take legal action against you regarding the report,
  • We will treat your report confidentially and will not share your personal details with third parties without your permission unless it is necessary to meet a legal obligation. Reporting under a pseudonym is possible,
  • We will keep you informed about the progress of resolving the issue,
  • In publications about the reported issue, we will, if you wish, credit you as the discoverer, and
  • As a token of appreciation, we offer a reward for every report of a previously unknown security issue. The amount of the reward will be determined based on the severity of the vulnerability and the quality of the report, with a minimum of €15 and a maximum of €45. The amount of the reward cannot be disputed.

Exceptions

We do not offer rewards for trivial or non-exploitable issues or issues that have already been reported. Below are some examples of known vulnerabilities and accepted risks for which we do not offer rewards:

  • Issues that are considered an acceptable risk from a business perspective, such as for user-friendly interfaces, workflows, or unnecessary complexity for the end user;
  • HTTP server response with a non-200 status code;
  • Fingerprinting and version banner disclosure;
  • Publicly accessible files and folders containing non-sensitive information – e.g., robots.txt;
  • Clickjacking and related vulnerabilities;
  • CSRF on logout functions or forms accessible without a session – e.g., a contact form;
  • Presence of 'auto-complete' or 'save password' support functions;
  • Weak CAPTCHA or CAPTCHA bypassing;
  • Brute-force on publicly accessible forms, and 'account lockout' not enforced;
  • Lack of 'Secure' and 'HTTP Only' flags on non-sensitive cookies;
  • Lack of a rate limiter on requests for emails with authorized links and other publicly accessible forms;
  • Workarounds to use Keeping briefly with incorrect payment details;
  • Allowed HTTP requests with OPTIONS method;
  • Username or email address enumeration through brute-force attempts via login error messages or 'forgot password' error messages;
  • Lack of length validation on public forms like email or password;
  • Lack of confirmation prompts, such as re-entering a password or requesting an additional email confirmation, etc.;
  • Missing or misconfigured HTTP and HSTS headers such as: Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP, etc.;
  • Missing or misconfigured Cross-Origin Resource Sharing (CORS) headers;
  • Missing or misconfigured HTTP Strict Transport Security (HSTS) headers;
  • Missing or misconfigured HTTP Public Key Pinning (HPKP);
  • Missing or misconfigured SPF, DKIM, DMARC, BIMI policies;
  • Missing or misconfigured SSL/TSL settings;
  • Vulnerabilities related to third-party services like Cloudflare, Atlassian Statuspage, developer.keeping.nl, etc.;
  • Manipulating request headers such as 'Host', 'Origin', and 'Referer', intending to redirect users to external sites;
  • SSL configuration weaknesses including SSL attacks that are not exploitable externally, lack of SSL 'Forward Secrecy', and supporting insecure cipher suites;
  • Possibility of 'Host' header injection;
  • Content spoofing and text injection on error pages;
  • Reporting old software versions without proof-of-concept or working exploit;
  • Information leakage in metadata;
  • Missing DNSSEC;
  • Missing validation of IBAN numbers or document numbers;
  • Missing enforcement of strong passwords;
  • Expired or inactive domain names;
  • Same Site Scripting or use through a localhost DNS rule;
  • Missing or misconfigured Cache-Control headers or persistent login sessions on other devices/browsers after logging out;
  • Lack of mandatory email verification for actions such as registration, account changes, setting up 2FA, and other account changes (reported and known, currently being implemented);
  • Missing validation for the use of '+' in email addresses (e.g., [email protected] for [email protected]);

Parts of this text are based on a text written by Floor Terra (Creative Commons Attribution 3.0).