Responsible Disclosure Policy.

;

At DFRNT, we are committed to the security of our services and the protection of our customers' data and privacy. We recognize the critical role of responsible disclosure in maintaining the security of digital environments.

Important! Before engaging in any security research, make sure you read and understand the contents of this page, including the out of scope section and avoidance of business impact. Engaging in security research without following this policy may exclude you from the Hall of Fame and the Legal Conduct section may apply.

If you are a security researcher and have discovered a security vulnerability in our product, website, or service, we appreciate your help in disclosing it to us in a responsible manner.

The intention of this policy is to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.

Last updated 2024-03-31

Hall of fame

We express our sincere gratitude for responsible disclosures by security researchers. We maintain ahall of fame page for researcher attribution, participation in the hall of fame is of course optional. We usually add closed security disclosures to our hall of fame at the end of each quarter.

If you are a customer

If you feel your account may have been compromised, or if you suspect fraudulent behavior, do not hesitate to contact our support team. Your issue will be investigated immediately and thoroughly.

How to Report a Vulnerability

If you have discovered a potential security vulnerability on a asset that belongs to us, we kindly ask you to adhere to the following guidelines.

  • Avoid negative consequences: Make every effort to avoid any actions that could negatively impact our systems, users, or customers. Only conduct testing within the boundaries of your own account, and do not access, modify, or view data that does not belong to you.
  • Avoid business impact from form submissions: Make every effort to avoid any actions that allocates resources outside of your account. This includes sign-ups, meetings bookings and similar. The reason is that such form submissions translates into clean-up work by staff. See the important section above.
  • Prefer simple communications: Please send your disclosure in an as simple form as possible, preferably the majority of the desclosure as plain text. We do not accept video submissions in any form.
  • Report responsibly: Please submit your findings to our security team as soon as possible via our designated channel:security-contact (at) dfrnt.com.
  • Confidentiality: We respect the privacy and security of security researchers. We do not share any personal information without explicit permission, unless required by law. We request that you do not disclose any details about the vulnerability until it has been resolved and we have given you permission to do so.
  • Description of the Vulnerability: Detail the nature of the vulnerability, the component it affects, and its possible impact on our website or client data in plain text. Include links as plain text to where the vulnerability was found.
  • Reproduction Steps/Proof of Concept: Provide clear steps to reproduce the issue or proof of concept code, if available.
  • Your Contact Information: Share your name and a reliable means of contact, preferably an email address.
  • Legal conduct: We encourage responsible and ethical behavior in accordance with the law. If you discover a vulnerability, please refrain from taking advantage of the vulnerability for any reason. This includes but is not limited to unauthorized access, data exfiltration, or disruption of service. Engaging in such activities is strictly prohibited and may result in legal action.

Response and Communication

  • Acknowledgment of Receipt: We will make every effort to acknowledge receipt of your report promptly.
  • Regular Updates: We aim to keep you informed with periodic updates regarding the investigation and remediation process and want to work with you to verify and validate the fix.
  • Confidentiality Request: We urge you to refrain from publicly disclosing the vulnerability until we have fully investigated and resolved the matter, to avoid potential exploitation.

Recognition and Appreciation

While we do not currently offer monetary rewards, we are open to expressing our gratitude by publicly acknowledging the contributions of individuals who report valid and previously unknown vulnerabilities, on our website in our hall of fame.

Please check your disclosure against our out of scope list below before submitting your request.

We understand and value the time and effort involved in responsible vulnerability disclosure and sincerely appreciate your assistance in enhancing the security of our services.

Out of scope

Some issues are not necessarily a security concern. They may be, but in general, unless there is a possibility to exploit them, these classes of issues will be out of scope for the policy. You are still welcome to report them if you want.

  • Clickjacking on pages with no sensitive actions or no authenticated actions
  • Open redirect, unless an additional security impact can be demonstrated
  • Missing best practices or not the latest protocols in in SSL/TLS configurations
  • Missing email best practices such as incomplete, invalid, or missing SPF/DKIM/DMARC records and similar
  • Software version disclosure and banner identification issues
  • Cookies not used by site security functions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Anything related to HTTP security headers, including: Strict-Transport-Security / X-Frame-Options / X-XSS-Protection / X-Content-Type-Options / Content-Security-Policy.
  • Reporting older versions of any software without proof of concept or working exploit.

Your efforts in helping us maintain a secure and trustworthy digital environment are immensely appreciated. Together, we can ensure the safety and security of our services and client data.

DFRNT® - Made for changemakers

We equip changemakers to make an impact.