Disclosure policy

Principles

We consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our systems.

Testing should be performed only on systems listed under the program brief Scope section. Any other systems are Out Of Scope.

Found a vulnerability:

  • Contact us at security@xebia.com;
  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data;
  • Do not reveal the problem to others until it has been resolved;
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties; and
  • Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
  • Actions which affect the integrity or availability of program targets are prohibited and strictly enforced. If you notice performance degradation on the target systems, you must immediately suspend all use of automated tools.

What we promise:

  • We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date;
  • If you have followed the instructions above, we will not take any legal action against you in regard to the report;
  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission;
  • We will keep you informed of the progress towards resolving the problem;
  • In the public information concerning the problem reported, on your request, we will give your name as the discoverer of the problem;

We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.

Scope:

  • Xebia.com
  • All Xebia.com subdomains.

Out of scope:

  • Findings from physical testing such as office access (e.g. open doors, tailgaiting).
  • Findings derived primarily from social engineering (e.g. phishing, vishing).
  • Findings from applications or systems not listed in the Scope section.
  • Functional, UI and UX bugs and spelling mistakes.
  • Network level Denial of Service (DoS/DDoS) vulnerabilities.

Allowed findings, but not interested:

  • SPF, DKIM, DMARC Issues
  • Low impact Information disclosures (including Software version disclosure)
  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • Use of a known-vulnerable library which leads to a low-impact vulnerability (i.e. jQuery outdated version leads to low impact XSS)
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser autocomplete or save password functionality.
  • Lack of Secure and HTTPOnly cookie flags.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Username enumeration via Login Page error message
  • Username enumeration via Forgot Password error message
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS / TRACE HTTP method enabled
  • SSL/TLS best practices that do not contain a fully functional proof of concept
  • SSL Attacks such as BEAST, BREACH, Renegotiation attack
  • SSL Forward secrecy not enabled
  • SSL Insecure cipher suites
  • The Anti-MIME-Sniffing header X-Content-Type-Options
  • Missing HTTP security headers

Improvements:

If you think items in this policy are to be revised, please contact us as well, so we can improve this document or the applicable scope.

Version history:

2022-12-28 – Initial version published