Introduction
At Kallipr we take the security of our products and systems seriously and we value the work done by the security community. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users.
This vulnerability disclosure policy is intended to provide security researchers clear scope and guidelines for conducting vulnerability testing of Kallipr websites, web services and products as well as how to submit discovered vulnerability reports to us.
Guidelines
Kallipr requests adherence to the following guidelines when conducting vulnerability testing:
Minimize Impact – Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
Be Responsible – Only use exploits to the extent necessary to confirm a vulnerability’s presence and do not use attacks that directly target customers, staff (physical testing, social engineering, etc.), or the availability of services (denial of service, etc.).
Confidentiality – Do not reveal the problem to others until it has been resolved
These guidelines are designed to be compatible with good practice coordinated vulnerability disclosure processes. It does not give you permission to act in any manner that is against the law, or which might cause Kallipr or any other organisations to be in breach of any legal obligations.
We value those who take the time and effort to report security vulnerabilities, however we do not offer monetary rewards for vulnerability disclosures. If desired, we will publish your name/alias as recognition after the completion of the vulnerability disclosure process.
Scope
All Kallipr websites and web services
All Kallipr products
Kallipr Kloud Fleet
Kallipr Kloud Field App
Captis Series 1 (all variants)
Captis Series 2 (all variants)
Reporting Vulnerabilities
f you identify a potential security vulnerability, report it via security@kallipr.com. If you need to encrypt the information, please use our public PGP key, which is:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZ2IRnRYJKwYBBAHaRw8BAQdA6pI17SzCom0Oc/1/IfQyelKwgS/VUlOPTOZL
4x+lzMm0HkthbGxpcHIgPHNlY3VyaXR5QGthbGxpcHIuY29tPoiZBBMWCgBBFiEE
i7RaNV9cxRP9FHDAUzuyDmRaxcwFAmdiEZ0CGwMFCQWjp3MFCwkIBwICIgIGFQoJ
CAsCBBYCAwECHgcCF4AACgkQUzuyDmRaxcwjiAEAzzuyP0VRN5FuTT+WgrbGgqCD
zqIayAlo0KvVGFf4W3sA/A2r3B9GecQwS9IWnxs9ztrKPhHocZRk9mE1jBKbwyIL
uDgEZ2IRnRIKKwYBBAGXVQEFAQEHQJOqKgJfzVysY5Ux6pDoUZsePVlqYh8lQcWw
FgmdoedTAwEIB4h+BBgWCgAmFiEEi7RaNV9cxRP9FHDAUzuyDmRaxcwFAmdiEZ0C
GwwFCQWjp3MACgkQUzuyDmRaxcwW6QD9Fs5rw5odMc4mpkBVygh/qe42bs3HJrgq
tX/Iigk8LBABAJx3I29hXOpJufkkLXZIEhUBnIvTd6owr1y4uVINWLgH
=v3ac
-----END PGP PUBLIC KEY BLOCK-----
Include the following details in your report:
Description of the location/product and potential impact of the vulnerability
A detailed description of the steps required to reproduce the vulnerability (PoC scripts or screenshots are helpful)
Do not include:
Sensitive Personally Identifiable Information (PII)
Credit card data
Our Commitment
Within 5 business days we will acknowledge the receipt of the report
Whilst we cannot provide patches in a fixed timeframe, we will maintain an open dialogue and endeavour to keep you informed at every stage of the process
If you have followed our guidelines, we will not take legal action against you in regard to the report
If desired, we will publicly publish and recognize your contribution, if you are the first to report the issue