top of page
Background.png
Hero.png

Vulnerabilities Disclosure

At Modat, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. If you discover a vulnerability, we would like to know about it so we can take the steps to address it as quickly as possible. This helps us better protect our clients and our systems. 
 

Publication  

You are always allowed to publish your findings but always discuss it upfront with Modat. We want to make sure that issues are fixed before publication. Modat appreciates security researchers’ efforts in reporting vulnerabilities on our systems if the discovered vulnerability is in scope, detected without intrusive testing techniques, and follows the disclosure guidelines below. 

 

Bounties  

Depending on the severity of the finding, we are willing to offer a bounty. As we are a startup organization, this will be for a limited amount.  

 

Rules of Engagement  

Reports are required to be written in English and please include a clear attack scenario outlining detailed reproduction steps. During your investigation make sure that you do not cause any damage or disruptions to our systems so do not alter, change or delete data from our systems.  

 

It is not allowed to put a backdoor in the system, not even for the purpose of showing the vulnerability, as inserting a backdoor will cause even more damage to the safety of our systems. Do do not penetrate the system any further than required for the purpose of your investigation. During your research make sure that you do not inadvertently cause a data breach (i.e. sharing screenshots or recordings on 3rd party cloud solution). We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date. 

 

Legal regulations for Vulnerability Disclosure may differ by country. We strongly advise you to consider these regulations. Your investigation of our systems could be regarded as a criminal act under local or international law and you may then risk criminal prosecution. If you have detected vulnerabilities in one of Modat’s systems, please be aware that local law preceeds over Modat’s rules. Nevertheless, if you act in good faith and according to Modat’s rules, we will not report your actions to the authorities, unless we are required to do so by law.  

 

General  

  • In case that a reported vulnerability was already known to the company from our own tests or other reporting, it will be flagged as a duplicate. 

  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity . 

  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted . 

  • Do not utilise social engineering to gain access to our systems.    

  

Out of Scope for this policy is:   

  • Domains  

    • Domains not owned by Modat  

 

  • Application  

    • Pre-Auth Account takeover/OAuth squatting  

    • Self-XSS that can't be used to exploit other users  

    • Verbose messages/files/directory listings without disclosing any sensitive information  

    • CORS misconfiguration on non-sensitive endpoints  

    • Missing cookie flags  

    • Missing security headers  

    • Cross-site Request Forgery with no or low impact  

    • Presence of autocomplete attribute on web forms  

    • Reverse tabnabbing  

    • Bypassing rate-limits or the non-existence of rate-limits.  

    • Best practices violations (password complexity, expiration, re-use, etc.)  

    • Clickjacking on pages with no sensitive actions  

    • CSV Injection  

    • Sessions not being invalidated (logout, enabling 2FA, etc.)  

    • Mixed content type issues  

    • Cross-domain referrer leakage  

    • Anything related to email spoofing, SPF, DMARC or DKIM  

    • Content injection on error pages  

    • Username/email enumeration  

    • Email bombing  

    • HTTP Request smuggling without any proven impact  

    • Homography/typosquatting  

    • XMLRPC enabled  

    • Banner grabbing/Version disclosure  

    • Open ports without an accompanying proof-of-concept demonstrating vulnerability  

    • Weak SSL configurations and SSL/TLS scan reports  

    • Not stripping metadata of images  

    • Disclosing API keys without proven impact  

    • Same-site scripting  

    • Blind SSRF without proven impact (DNS pingback only is not sufficient)  

    • Disclosed and/or misconfigured Google API key (including maps)  

    • Host header injection without proven impact  

    • Spam, social engineering and physical attacks  

    • DoS/DDoS attacks or brute force attacks  

    • Reports that state that software is out of date/vulnerable without a proof-of-concept  

    • Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts  

 
Please e-mail your findings to security@modat.io and encrypt your findings using our PGP key (here)  to prevent this critical information from falling into the wrong hands. 
 

This responsible disclosure is based on Floor Terra's text, published under the CC BY 3.0 NL license. 

bottom of page