Security

SDB Groep Coordinated Vulnerability Disclosure

At SDB Groep, the security of our systems is very important to us. Despite our concern for the security of systems, it is possible that there is a weak spot. If you have found a weakness in one of our systems, please let us know so that we can address it as quickly as possible. We are committed to working together to protect our customers and our systems.

We ask you to follow these rules:

Do

• Report your findings through https://app.zerocopter.com/en/cvd/476c66bd-2198-4f33-9552-99dfa573bdaa;
• Provide sufficient information to reproduce the problem so that we can solve it as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability will suffice, but more complex vulnerabilities may require more.
• Erase any obtained data through the leak from your devices that are not required to communicate the issue to us;
• Erase any other confidential information after the leak is closed or the issue has been resolved in any other way;

Don’t:

• Do not exploit the weakness to gain deeper access to systems. Report any vulnerability immediately.
• Do not download or otherwise access more data than is necessary to demonstrate the leak. Only use your own data where possible;
• Do not delete or modify any data that does not belong to you;
• Do not share information on the leak with others until the leak is confirmed to be closed;
• Do not use attacks on:
  • physical security,
  • social engineering/phishing,
  • third-party services.
• Do not perform (D)DoS or spam/mailbomb attacks;

What we promise:

• We will respond to your report within 3 days with our assessment of the report and an expected resolution date;
• If you have complied with the above conditions, we will not take legal action against you regarding the report;
• We treat your report confidentially and will not share your personal information with third parties without your explicit permission unless this is necessary to comply with a legal obligation;
• Reporting under a pseudonym is possible;
• We will keep you informed of the progress of solving the problem;
• In any reporting on the reported issue we will list your name as the discoverer, if you wish;
• As a thank you for your help, we may offer you a reward. We determine the size of the reward based on the seriousness of the leak and the quality of the report.

Additionally

• Many of the reports we receive deal with insignificant risks. To avoid disappointment we only ask for reports of realistic security vulnerabilities that can be concretely exploited; please see the exceptions list below to see what kind of risks we cannot reward.
• We strive to solve all problems as quickly as possible and we would like to be informed about any publication about the problem after it has been solved.
• If you want to exchange documents with employees of SDB Groep you can use our secure environment.

Issues for which we cannot reward you:

• Theoretical vulnerabilities without any evidence or demonstration of the actual presence of the vulnerability (Proof of Concept);
• Issues that require another vulnerability to exploit, without providing that vulnerability;
• Vulnerabilities requiring MITM, or physical access to a user’s browser, smartphone, or email account, as well as issues on rooted or jailbroken smartphones;
• Findings from automated tools without an accompanying working Proof of Concept;
• Reports on issues in third-party applications and services;
• Best practices violations regarding:
  • password complexity, expiration, re-use, etc.,
  • HSTS mechanism on client or server side,
  • soft token invalidation rules.
• Autocomplete attribute being present on forms;
• Captcha bypass using OCR;
• Content spoofing and text injection issues without showing an attack vector / without being able to modify HTML/CSS;
• CORS or misconfiguration on non-sensitive endpoints;
• CSRF with no or low impact (such as on unauthenticated forms with no sensitive actions or logout endpoints);
• Cross-domain Referer leakage;
• CSV/formula injection;
• Disclosed API keys or other credentials without proven impact;
• E-mail bombing;
• Homograph attacks;
• Host header injection, unless you have confirmed that it can be exploited in a practical attack;
• HTTP Request smuggling without any proven impact;
• Hyperlink injection/takeovers;
• Image metadata not being stripped;
• Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.);
• Missing Security Headers without proven impact (framing, clickjacking, tapjacking);
• Missing Cookie flags;
• Mixed content type issues;
• Non-Sensitive Data Disclosure such as banner grabbing / version disclosure;
• One-click authorization from emails and login CSRF via these links;
• Open Ports without an accompanying working Proof of Concept;
• Open Redirects (except cases with additional impact, e.g. token hijacking);
• Known vulnerable software or library versions without an accompanying working Proof of Concept;
• Rate limiting or brute-force issues on non-authentication endpoints;
• Reverse tabnabbing;
• Same-site scripting;
• Self-XSS that cannot be used to exploit other users;
• Sessions not being invalidated (logout, enabling 2FA, ..);
• Username/email/data enumeration;
• Verbose messages/files/directory listings without disclosing any sensitive information;
• Weak SSL configurations and SSL/TLS scan reports;
• XMLRPC enabled on WordPress;