Let's talk

Responsible disclosure statement

At Pink Elephant, we consider the security of our systems very important.

Despite our care for the security of our systems, there may still be a weakness. If you have found a weakness in one of our systems, we would like to hear about it so that we can make the necessary changes as soon as possible. We would like to work with you to better protect our customers and our systems.

We ask you to:

  • send your finding to security@pinkelephant.nl
  • not exploit the problem by, for example, downloading more data than necessary to exploit the leak to, ou view, delete and modify third-party data,
  • not to share the problem with others until it is resolved and to delete all confidential data obtained through the leak immediately after the leak is closed;
  • no use is made of the use of false advertising, social engineering, distributed denial of service, spam or applications of the Services;
  • provide sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Usually, the IP address or URL of the system used and a description of the network configuration is sufficient, but more information may be required for more complex network configurations.

We believe you to:

  • respond to your notice within 5 days with our confirmation of the notice and a reserved cancellation date;
  • not to take any legal action if you comply with the conditions set by us regarding notification;
  • Your report must be kept confidential and we do not want your personal data to be handled without your cooperation with the other parties, as this is not necessary to fulfil our obligations;
  • you should be kept informed of the progress of the problem;
    if you wish, report your name to the contact person in the reporting area about the reported problem;
    to solve the problem as soon as possible;
  • to be involved in any publication about the problem after it is resolved.

Known false positives:

When reporting potential vulnerabilities, consider realistic attack scenarios and the security impact of the behaviour. Here are the most common fault positions we encounter. The following issues should be fixed as soon as possible, keeping in mind that they have a direct impact on security.

  • Fingerprinting/disclosure of version banners on general/public services
  • Disclosure of known open files, directories or non-legal information (e.g. robots.txt)
  • Clickjacking and problems that can only be exploited by clickjacking
  • Missing cookie flags on non-sensitive cookies
  • SPF and DKIM on domains other than true.co.uk.
  • DMARC problems
  • Missing DNSSEC (implementation in progress)
  • Self XSS
  • Same Site Scripting / Localhost DNS record
  • Problems due to changing browser software
  • Known CVEs have been analysed for a reasonable period of time after the public release of a patch (usually 30 days).

The text above is an adapted version of Floor Terra's original Responsible Disclosure text and is published under a Creative Commons Attribution 3.0 licence. The original text can be found at responsibledisclosure.co.uk.

cc-by