Responsible Disclosure Policy
Data security is a top priority for KPA Services, LLC and we believe that working with skilled security researchers can identify weaknesses in any technology. Publicly disclosing a security vulnerability without informing us first puts the rest of the community at risk.
If you believe you’ve found a security vulnerability in KPA’s service, please notify us using the instructions in the disclosure process section and we will work with you to resolve the issue promptly.
We currently do not have an officially defined financial reward system “bug bounty program” in place. As such, compensation should not be expected after submission. However, KPA Services, LLC may at our discretion reward researchers based upon the submission.
If you believe you’ve discovered a potential vulnerability, please let us know by emailing email@example.com. We will acknowledge your email within 7 business days. Please provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or third parties. We aim to resolve critical issues within 30 days of disclosure.
Any design or implementation issue that substantially affects the confidentiality, integrity or availability of user data is likely to be in scope for this program. The list below are examples of vulnerabilities that should be submitted if found.
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Authentication or Authorization Flaws
- Server-Side Request Forgery (SSRF)
- Injections (SQL, LDAP, OS)
- XML External Entity (XXE)
- Remote Code Execution (RCE)
- Directory indexing/traversal
- Sensitive data exposure
Please do not submit any of the following unless you deem it to be a serious vulnerability.
- CSRF on forms that are available to anonymous users
- Disclosure of known public files or directories (e.g. robots.txt)
- Domain Name System Security Extensions (DNSSEC) configuration suggestions
- Banner disclosure on common/public services
- HTTP/HTTPS/SSL/TLS security header configuration suggestions
- Lack of Secure/HTTPOnly flags on non-sensitive cookies
- Logout Cross-Site Request Forgery (logout CSRF)
- Phishing or Social Engineering Techniques
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Sender Policy Framework (SPF) configuration suggestions
The following activities are strictly prohibited.
- Denial of Service (DoS) and Distributed Denial of Service (DDoS)
- Social engineering or phishing of KPA employees or contractors
- Ransom or extorsion based activities leveraging KPA systems or data
- Attacks against KPA’s employees, physical property, or data centers
- Distribution or execution of malware of any kind against or using any KPA systems
- Deliberate destruction, corruption, or modification of KPA data
- Retaining or distributing confidential information obtained from testing
- Violation of local, state, federal or any other laws applicable to you or KPA
- 3rd party services leveraged by KPA systems/applications
- Creating links to other sites without prior written consent
- Modifying sites to display inappropriate, vulgar, illegal or otherwise offensive materials