Vulnerability disclosure program

Our Vulnerability Disclosure Program aims to minimize the impact that any security breach has on our tool or on users. To be eligible for the Program, the vulnerability must exist in the latest public version. You must remember that only security vulnerabilities will be scored.

Guidelines and scope limitations

Before reporting, please review the following information, including our vulnerability disclosure schedule, scope, and other guidelines. To encourage vulnerability investigation and avoid any confusion between good faith hacking and malicious attack, we ask that you:

1. Follow this Disclosure Program, as well as any other relevant agreements
2. Do not cause any damage, do not hinder the flow of the application or act against our Terms of Use Agreement
3. Do not intentionally access non-public Keybe data more than is necessary to demonstrate vulnerability.
4. Do not access, modify, destroy, save, transmit, alter, transfer, use or view data that belongs to someone other than you. If a vulnerability provides inadvertent access to data, stop testing, purge local information, and submit a report immediately.
5.  Avoid violating the privacy of others, disrupting our systems, destroying data and/or impairing the user experience.
6. Do not compromise the privacy or security of our customers or the operation of our services. Such activity will be treated as illegal.
7. Maintain the confidentiality of the details of any vulnerabilities discovered, in accordance with this Disclosure Schedule. Uncoordinated public disclosure of a vulnerability may result in disqualification from this program.
8. Comply with applicable laws and regulations.
9. Use only designated official channels to discuss vulnerability information with us.
10. By conducting a genuine vulnerability investigation in accordance with this Disclosure Program, we consider this investigation to be Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for good faith and accidental violations of this Disclosure Program when conducting a genuine vulnerability investigation.
11. Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a lawsuit against you for circumventing technology controls when conducting a genuine vulnerability investigation in accordance with this Disclosure Program.
12. Exempt from restrictions in our Terms of Use Agreement that could interfere with conducting a genuine vulnerability security investigation, and we waive those restrictions on a limited basis for genuine vulnerability investigation conducted under this Divulgation Program.
13. That it is legal, that it helps the general security of the Internet and that it is carried out in good faith.

We reserve the right not to act in the event of findings that do not have a real impact on the integrity and security of our data. Any investigation that violates the conditions of this Program, the Terms of Use Agreement, the documentation related to security and the GDPR, as well as the current legislation, will be treated as an act of bad faith and in an illegal manner. We are not required to provide remuneration, fees or rewards for the disclosure of a vulnerability; such action is at our sole discretion.

If at any time you are concerned or unsure whether your security investigation is consistent with this Disclosure Program, please submit a report through one of our official notification channels before proceeding further.

Scope of application

At this time, the following services and applications are in scope:

Application and web infrastructure:

• http://keybeold.local/
• https://keybe.co/
• https://keybe.mx/
• https://keybe.us/
• https://keybe.app
• https://app.keybe.ai
• https://kb.live
• https://kbe.ai
• Any of the third level subdomains keybe.ai
• Anything with a significant impact on our entire security or infrastructure posture

Outside the scope of application

We only accept manual or semi-manual tests. All findings from automated tools or scripts will be considered out of scope. Additionally, any issues that do not have a clearly identified security impact, missing security headers, or descriptive error messages will be considered out of scope.

These items are also considered outside the scope:

1. Attacks designed or likely to degrade, deny or negatively affect services or user experience (e.g. denial of service, distributed denial of service, brute force, password spraying, spam…).
2. Attacks designed or capable of destroying, corrupting, making unreadable (or attempting to do so) data or information that does not belong to you..
3. Attacks designed or capable of validating stolen credentials, credential reuse, accounting (ATO), hijacking, or other credential-based techniques.
4. Intentionally accessing data or information that does not belong to you beyond the minimum viable access necessary to demonstrate vulnerability.
5. Perform physical, social engineering, or electronic attacks against our staff, offices, wireless networks, or property.
6. Security issues in third-party applications, services or dependencies that integrate with Keybe’s products or infrastructure and that do not have a demonstrable proof of concept of vulnerability (e.g. libraries, SAAS services).
7. Security issues or vulnerabilities created or introduced by the informant (for example, modifying a library we trust to include a vulnerability for the sole purpose of receiving a reward).
8. Attacks made on any system not explicitly mentioned as authorized and within the scope of application.
9. Reports of lack of “best practices” or other guidelines that do not indicate a security problem.
10.  Attacks related to email servers, email protocols, email security (e.g. SPF, DMARC, DKIM) or spam.
11.  Lack of cookie indicators in non-sensitive cookies.
12. Reports on insecure SSL/TLS encryption (unless accompanied by a working proof of concept).
13. Reports on how you can find out if a certain customer can authenticate with an amoCRM product or service.
14.  Mapping reports between code names and customer names.
15.  Simple port or IP scan reports.
16. Missing HTTP headers (for example, missing HSTS).
17. Email security best practices or controls (e.g. SPF, DKIM, DMARC).
18. Banners, fingerprints, or software or infrastructure acknowledgments with no proven vulnerability.
19. Informes de clickjacking o autoXSS.
20.  Reports of DNS records that are publicly resolvable or accessible to internal hosts or infrastructure.
21. Phishing based on domains, typosquatting, punycodes, bitflips or other techniques.
22.  Violation of any law or breach of any agreement (or any report thereof).

Report

The results must be supported by clear and precise documentation, without speculative information. All findings should have an indication of relevance and impact. Remember to provide a detailed summary of the vulnerability, including the purpose, steps, tools, and artifacts used during the discovery that will allow us to reproduce the vulnerability.

To ensure that your observations are communicated correctly, you must use only approved channels, that is, you must communicate the discovered vulnerability by email to [email protected].