Let's talk

Responsible Disclosure Statement

At Pink Elephant, we consider the security of our systems very important.

Despite our care for the security of our systems, there may still be a vulnerability. If you have found a vulnerability in one of our systems, we would like to hear about it so that we can take action as soon as possible. We would like to work with you to better protect our customers and our systems.

We ask you to:

  • send your finding to security@pinkelephant.nl
  • not exploit the problem by, for example, downloading more data than necessary to demonstrate the leak, or viewing, deleting or modifying third-party data,
  • not to share the problem with others until it is resolved and to delete all confidential data obtained through the leak immediately after the leak is closed;
  • not use physical security attacks, social engineering, distributed denial of service, spam or third-party applications;
  • provide sufficient information to reproduce the problem so that we can resolve it as soon as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be required for more complex vulnerabilities.

 

We promise to:

  • respond to your report within 5 days with our assessment of the report and an expected date for resolution;
  • not to take any legal action if you comply with the conditions set by us regarding notification;
  • treat your report confidentially and we will not share your personal data with third parties without your consent, unless necessary to comply with a legal obligation;
  • keeping you updated on the progress of solving the problem;
    if you wish, include your name as the discoverer in messaging about the reported problem;
    solve the problem as soon as possible;
  • to be involved in any publication about the problem after it is resolved.

Known false positives:

When reporting potential vulnerabilities, consider realistic attack scenarios and the security impact of the behaviour. Below are the most common false positives we encounter. The following issues will be closed as invalid except in rare circumstances with a clear security impact.

  • Fingerprinting / version banner disclosure on general/public services
  • Disclosure of known public files, directories or non-sensitive information (such as robots.txt)
  • Clickjacking and problems that can only be exploited by clickjacking
  • Missing cookie flags on non-sensitive cookies
  • SPF and DKIM on domains other than true.co.uk.
  • DMARC problems
  • Missing DNSSEC (implementation in progress)
  • Self XSS
  • Same Site Scripting / Localhost DNS record
  • Problems due to outdated browser software
  • Known CVEs are excluded for a reasonable period of time after the public availability of a patch (usually 30 days).

 

The above text is an adapted version of Floor Terra's original Responsible Disclosure text and is published under a Creative Commons Attribution 3.0 licence. The original text can be found at responsibledisclosure.co.uk.

cc-by