Responsible Disclosure Policy

Data security is a top priority for KPA Services, LLC and we believe that working with skilled security researchers can identify weaknesses in any technology. Publicly disclosing a security vulnerability without informing us first puts the rest of the community at risk.

If you believe you’ve found a security vulnerability in KPA’s service, please notify us using the instructions in the disclosure process section and we will work with you to resolve the issue promptly.

We currently do not have an officially defined financial reward system “bug bounty program” in place. As such, compensation should not be expected after submission. However, KPA Services, LLC may at our discretion reward researchers based upon the submission.

Safe Harbor

KPA Services, LLC will not initiate a lawsuit or law enforcement investigation against any researcher if they abide by the terms and conditions defined on this page along with our privacy policy. Any attempts at extortion such as blackmail, ransomware, threats, or any other illegal activities will violate the safe harbor agreement and may result in legal action.

Disclosure Process

If you believe you’ve discovered a potential vulnerability, please let us know by emailing disclosure@kpa.io. Please provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or third parties. We aim to resolve critical issues within 30 days of disclosure.

In-Scope Domains

KPA has multiple product offerings and corporate websites, the following domains (and subdomains) are within the scope of this responsible disclosure program.

anchorock.com
compli.com
compligo.com
complynet.com
iscout.com
kpa.io
kpaehs.com
kpahrm.com
kpapartnerresources.com
laborandemploymentsource.com
lossfreerx.com
mtssafety.com
mykpa.com
mykpaonline.com
onmats.com
succeedms.com
verasuite.com

In-Scope Vulnerabilities

Any design or implementation issue that substantially affects the confidentiality, integrity or availability of user data is likely to be in scope for this program. The list below are examples of vulnerabilities that should be submitted if found.

Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Authentication or Authorization Flaws
Server-Side Request Forgery (SSRF)
Injections (SQL, LDAP, OS)
XML External Entity (XXE)
Remote Code Execution (RCE)
Directory indexing/traversal
Sensitive data exposure

Out-of-Scope Vulnerabilities

Please do not submit any of the following unless you deem it to be a serious vulnerability.

CSRF on forms that are available to anonymous users
Disclosure of known public files or directories (e.g. robots.txt)
Domain Name System Security Extensions (DNSSEC) configuration suggestions
Banner disclosure on common/public services
HTTP/HTTPS/SSL/TLS security header configuration suggestions
Lack of Secure/HTTPOnly flags on non-sensitive cookies
Logout Cross-Site Request Forgery (logout CSRF)
Phishing or Social Engineering Techniques
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
Sender Policy Framework (SPF) configuration suggestions

Prohibited Actions

The following activities are strictly prohibited.

Denial of Service (DoS) and Distributed Denial of Service (DDoS)
Social engineering or phishing of KPA employees or contractors
Ransom or extorsion based activities leveraging KPA systems or data
Attacks against KPA’s employees, physical property, or data centers
Distribution or execution of malware of any kind against or using any KPA systems
Deliberate destruction, corruption, or modification of KPA data
Retaining or distributing confidential information obtained from testing
Violation of local, state, federal or any other laws applicable to you or KPA
3rd party services leveraged by KPA systems/applications
Creating links to other sites without prior written consent
Modifying sites to display inappropriate, vulgar, illegal or otherwise offensive materials