skip to Main Content
KPA Logo

Responsible Disclosure Policy

Data security is a top priority for KPA Services, LLC and we believe that working with skilled security researchers can identify weaknesses in any technology. Publicly disclosing a security vulnerability without informing us first puts the rest of the community at risk.

If you believe you’ve found a security vulnerability in KPA’s service, please notify us using the instructions in the disclosure process section and we will work with you to resolve the issue promptly.

We currently do not have an officially defined financial reward system “bug bounty program” in place. As such, compensation should not be expected after submission. However, KPA Services, LLC may at our discretion reward researchers based upon the submission.

Safe Harbor

KPA Services, LLC will not initiate a lawsuit or law enforcement investigation against any researcher if they abide by the terms and conditions defined on this page along with our privacy policy. Any attempts at extortion such as blackmail, ransomware, threats, or any other illegal activities will violate the safe harbor agreement and may result in legal action.

Disclosure Process

If you believe you’ve discovered a potential vulnerability, please let us know by emailing [email protected]. We will acknowledge your email within 7 business days. Please provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or third parties. We aim to resolve critical issues within 30 days of disclosure.

In-Scope Vulnerabilities

Any design or implementation issue that substantially affects the confidentiality, integrity or availability of user data is likely to be in scope for this program. The list below are examples of vulnerabilities that should be submitted if found.

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Authentication or Authorization Flaws
  • Server-Side Request Forgery (SSRF)
  • Injections (SQL, LDAP, OS)
  • XML External Entity (XXE)
  • Remote Code Execution (RCE)
  • Directory indexing/traversal
  • Sensitive data exposure

Out-of-Scope Vulnerabilities

Please do not submit any of the following unless you deem it to be a serious vulnerability.

  • CSRF on forms that are available to anonymous users
  • Disclosure of known public files or directories (e.g. robots.txt)
  • Domain Name System Security Extensions (DNSSEC) configuration suggestions
  • Banner disclosure on common/public services
  • HTTP/HTTPS/SSL/TLS security header configuration suggestions
  • Lack of Secure/HTTPOnly flags on non-sensitive cookies
  • Logout Cross-Site Request Forgery (logout CSRF)
  • Phishing or Social Engineering Techniques
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
  • Sender Policy Framework (SPF) configuration suggestions

Prohibited Actions

The following activities are strictly prohibited.

  • Denial of Service (DoS) and Distributed Denial of Service (DDoS)
  • Social engineering or phishing of KPA employees or contractors
  • Ransom or extorsion based activities leveraging KPA systems or data
  • Attacks against KPA’s employees, physical property, or data centers
  • Distribution or execution of malware of any kind against or using any KPA systems
  • Deliberate destruction, corruption, or modification of KPA data
  • Retaining or distributing confidential information obtained from testing
  • Violation of local, state, federal or any other laws applicable to you or KPA
  • 3rd party services leveraged by KPA systems/applications
  • Creating links to other sites without prior written consent
  • Modifying sites to display inappropriate, vulgar, illegal or otherwise offensive materials
Back To Top Services: Compliance Services Services: Workplace Health and Safety Services Services: Environmental Risk Management Services About: Leadership Software: Online Training About: Who We Are Resources: Library Resources: Events and Webinars Resources: Blog YouTube Twitter LinkedIn