Coordinated Vulnerability Disclosure (CVD)

At Kooi, we place great importance on the security of our systems. Despite our efforts to identify vulnerabilities, some weaknesses may still go unnoticed. We greatly appreciate it if you discover any vulnerabilities in our systems and report them to us. Your feedback enables us to take swift action and improve the security of our systems and users. Your collaboration in this process is highly valued.

Not an invitation to active scanning

Our responsible disclosure policy is not an invitation to actively scan our network or systems for vulnerabilities. We conduct active monitoring of our corporate network ourselves. As such, your scans are likely to be detected, which may result in an investigation by our Computer Emergency Response Team (CERT) and potentially unnecessary costs.

Legal consequences

During your research, you might engage in activities that are legally considered punishable. However, if you adhere to the conditions set out in this policy, we will not take legal action against you. It is important to note that the Public Prosecution Service reserves the right to decide whether to pursue criminal prosecution.

Our Requests to You

1. Report your findings as soon as possible to cvd@247kooi.com.
2. Do not exploit the vulnerability by, for example:
   • Downloading more data than necessary to demonstrate the vulnerability.
   • Modifying or deleting data.
3. Be extra cautious with personal data.
4. Do not share the vulnerability with others until it has been resolved.
5. Avoid attacks involving physical security, third-party applications, social engineering, (distributed) denial-of-service, malware, or spam.
6. Provide sufficient information to reproduce the vulnerability so we can resolve it as quickly as possible. Typically, the IP address or URL of the affected system and a description of the vulnerability and the actions performed are sufficient. However, more details may be required for complex vulnerabilities.

Our Promises to You

• A response within five working days with our assessment of your report and an expected resolution date.
• Your report will be treated confidentially, and we will not share your personal information without your consent.
• We will keep you informed about the progress of resolving the vulnerability.
• If desired, we will mention your name as the discoverer in our communication about the reported vulnerability.
• As a token of our appreciation, we offer, if desired, a mention on our website.
• We aim to resolve all issues as quickly as possible and play an active role in preventing security incidents.

Out of Scope

At Kooi, we do not reward trivial vulnerabilities or bugs that cannot be exploited. Below is a list of known vulnerabilities and accepted risks that fall outside the scope of our Coordinated Vulnerability Disclosure program:

• HTTP errors and content injection: such as HTTP 404 codes or other non-200 codes, and content spoofing or text injection on these pages.
• Fingerprinting and version disclosure: information about versions of public services.
• Public files or directories: such as robots.txt or other files containing non-sensitive information.
• Clickjacking: vulnerabilities that can only be exploited through clickjacking.
• Non-sensitive cookies: the absence of secure or HTTP-only flags on cookies containing non-sensitive information.
• HTTP methods: such as enabled OPTIONS methods.
• SSL configuration: issues such as weak/insecure cipher suites, disabled SSL Forward Secrecy, or other SSL configuration issues.
• Email verification: such as issues with SPF, DKIM, or DMARC.
• Host header injection: without demonstrable risk.
• Outdated software: reports of outdated software versions without proof of concept for a working exploit.
• Metadata: exposure of non-sensitive information in metadata.
• HTTP security headers: for example, missing or incorrect configurations of:

This list is intended to clarify what falls outside the scope of our policy. If you have any doubts, feel free to contact us at cvd@247kooi.com.