Vulnerability Disclosure Policy

Crunchr takes security and privacy very seriously and investigates all reported vulnerabilities. Despite the effort we put into the security of our services every day, vulnerabilities can still be present. This page describes our practice for addressing potential vulnerabilities in any aspect of our services.

Reporting a vulnerability

Have you discovered a security or privacy vulnerability in Crunchr services? Please report it to us. We welcome reports from everyone, including customers, security researchers and developers. This kind of report is known as a Coordinated Vulnerability Disclosure (CVD).

To report a vulnerability, please send an email to [email protected] that includes:

Service
The specific services which you believe are affected

Behavior
A description of the behavior you observed as well as the behavior that you expected

Description
A description of the issue found as explicitly and detailed as possible. Provide sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Complex vulnerabilities may require further explanation. You can use step-by-step instructions, screenshots or video demonstration for this. Feel free to provide any supporting material (Proof of Concept code, tool output, etc.) that would be useful in helping us understand the nature and severity of the vulnerability.

Contact details
Your e-mail address or telephone number to enable us to contact you if we have any questions. We prefer to communicate via e-mail.

Offering a solution is highly encouraged but not required. Be assured that your notifications will be received by specialists. We only accept reports that are sent in the English or Dutch language.

Laptop purple gradient

In scope

In principle, any Crunchr-owned service is intended to be in scope. This includes all the content in the following domains:

*.crunchr.com
*.crunchrapps.com

Examples of qualifying vulnerabilities are:
• Remote Code Execution
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• SQL Injection
• Encryption vulnerabilities
• Authentication bypasses and unauthorized data access

Out of scope

Crunchr will not process or reward vulnerability reports that cannot be abused or are trivial. Trivial reports include reports of (public) vulnerability scanners (e.g. port scanners). The following are examples of known and accepted vulnerabilities that are outside the scope of this CVD process:

  • HTTP 404 codes/pages or other HTTP non-200 codes/pages and Content Spoofing/Text Injection on these pages
  • Fingerprint version banner disclosure on common/public services
  • Disclosure of known public files or directories or non-sensitive information, (e.g. robots.txt)
  • Clickjacking and issues only exploitable through clickjacking
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies
  • OPTIONS HTTP method enabled
  • Anything related to HTTP security headers, e.g.: Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy.
  • SSL Configuration Issues, e.g.: SSL forward secrecy not enabled, weak / insecure cipher suites.
  • SPF, DKIM, DMARC issues
  • Host header injection
  • Reporting older versions of any software without proof of concept or working exploit
  • Information leakage in metadata
  • Missing DNSSEC
  • Username/e-mail enumeration through brute force attempts, e.g.: via Login Page error message, Forgot Password error message.

This list of exclusions is derived from a list used by the CERT of SURF (https://www.surf.nl/en/responsible-disclosure).

Security Vault Gradient

We ask you to:

• Report the vulnerability as soon as possible after discovering it
• Handle the knowledge of the vulnerability responsibly
• Be extra cautious with personal and confidential data

We ask you to never:

• abuse the found vulnerability by:
– copying or downloading data (unless necessary to prove your finding)
changing (editing) or removing (deleting) data and services
– repeatedly accessing the service or sharing access to it with others
– causing damage or unavailability to our services

• sharing the vulnerability with others until it is resolved
• performing brute-force attacks, Denial-of-Service (DoS) attacks, spam attacks, or social engineering
• performing physical attacks against Crunchr employees, offices and services
• introducing malware or backdoors to services

What we promise

Responsible collaboration: we strive to solve all vulnerabilities as quickly as possible and keep all parties involved informed. Crunchr security experts will review your submitted report and will respond to your report within 5 business days with our evaluation of the report and an expected resolution date. We will keep you informed of the progress towards resolving the problem. We’ll contact you if we need more information. Crunchr will strive to have the vulnerability identified by you resolved within no more than 60 days. Upon resolution of the problem, we will consult with you to determine whether and in what way to publish details of the problem and its resolution.

Confidentiality & privacy: we will handle your report with strict confidentiality, and we will not share your personal details with third parties without your permission unless we are compelled to do so by law or by a court ruling. We will only specify your name as the discoverer of the vulnerability in question if you explicitly ask for this and give permission for us to do so.

Judicial prosecution: if you follow the conditions given in this CVD process, we will not take legal action against you. However, the Public Prosecutor always has the right to decide whether or not to prosecute you.

Reward: to encourage reporting vulnerabilities to Crunchr, we may give you a reward for your research but are not obliged to do so. You are, therefore, not automatically entitled to a reimbursement. The form of this reward is not fixed in advance and is determined by us on a case-by-case basis. Whether to give a reward and in which form depends on the seriousness of the vulnerability, the care taken in your investigation and the quality of the report.

Reward

You may receive a reward for your efforts. Crunchr reserves the right to make a final decision on whether a reward will be awarded. We will not reward when:

• The issue is already known or was already reported: in that case, only the first reporter will be rewarded
• The rules are not respected, or we find evidence of abuse