Responsible Disclosure

Plauti considers the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities.

If you discover a vulnerability, we would like to know about it so we can address it as quickly as possible. We ask you to help us better protect our clients and our systems.

Instructions

  • E-mail your findings to disclosure@plauti.com.
  • Do not take advantage of the vulnerability or problem you have discovered, for example, by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data.
  • Do not reveal the problem to others until it has been resolved.
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam, or applications of third parties.
  • Please provide sufficient information to reproduce the problem so we can resolve it as quickly as possible. Usually, the affected system's IP address or URL and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.

Our promise

  • We will respond to your report within five business days with our evaluation of the report and an expected resolution date.
  • If you have followed the instructions above, we will not take any legal action against you in regard to the report.
  • We will handle your report with strict confidentiality and not pass on your personal details to third parties without your permission.
  • We will keep you informed of the progress toward resolving the problem.
  • We strive to resolve all issues as quickly as possible.

Out of scope

  • HTTP 404 codes/pages or other HTTP non-200 codes/pages and Content Spoofing/Text Injection on these pages
  • Fingerprint version banner disclosure on common/public services
  • Disclosure of known public files or directories or non-sensitive information (e.g. robots.txt)
  • Clickjacking and issues only exploitable through clickjacking
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies
  • OPTIONS HTTP method enabled

anything related to HTTP security headers, e.g.:

  • Strict-Transport-Security
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Content-Security-Policy

SSL Configuration Issues:

  • SSL forward secrecy not enabled
  • Weak/insecure cipher suites
  • SPF, DKIM, and DMARC issues
  • Host header injection
  • Reporting older versions of any software without proof of concept or working exploit
  • Information leakage in metadata

Our so-called Responsible Disclosure Policy is not an invitation to actively scan our network or our systems for weaknesses. We monitor our networks and applications. Therefore, we are likely to pick up your scan, which our team will investigate.