Responsible Disclosure

At Ayvens, we consider the security of our systems high priority. However, despite the considerable care we take regarding security, we realise that vulnerabilities can and will remain. If you do find such a vulnerability, we would appreciate to be notified as soon as possible so we may take appropriate measures to swiftly remediate.

Please note that our responsible disclosure policy is not an invitation to actively probe our business network / internet facing services to discover vulnerabilities. These probes do generate attention of our security team and might trigger (costly) security investigations.

What we request from you

What we promise to do at Ayvens Digital

What to report

  1. Persistent Cross Site Scripting (XSS)

  2. Cross Site Request Forgery (CSRF)

  3. Broken Authentication

  4. XML Injections (XXE)

  5. SQL Injection (SQLi)

  6. Vulnerabilities concerning Encryption with working exploit POC

  7. Authentication Bypass (Unauthorised Sensitive Data Access)

  8. Cross Tenant Data Leak

  9. Directory Traversal

  10. Security misconfiguration having a severe impact. These will be evaluated on case-by-case basis.

Please DO NOT report:

How should you report?

Describe the found issue as explicit and detailed as possible and provide any evidence you might have. You can take into account that the notification will be received by security experts such as the Ayvens Security Team. Furthermore sent the reports in English. We encourage you to send the e-mail in encrypted state. Please use the PGP key located on the bottom of this page. Include the following in your disclosure e-mail:

Rewards

Please be aware that Ayvens currently cannot offer rewards for (security) bug reports.

For follow-up we will ask your contact details (name, e-mail, PGP-Key and optionally a Phone number) unless you chose to report anonymously.

Your personal information is only used to approach you and undertake actions with regard to your reported vulnerability. We will not distribute your personal information to third parties without your permission. Unless, the law requires us to provide your personal information or when an external organisation takes over the investigation of your reported vulnerability. In this case we will ensure that the applicable authority will treat your personal information confidentially. We will remain responsible for your personal information.

Our PGP key -----BEGIN PGP PUBLIC KEY BLOCK----- Comment: User-ID:LeasePlan <responsible-disclosure@leaseplan.com> Comment: Created:6/3/2019 1:42 PM Comment: Expires:6/3/2021 12:00 PM Comment: Type:2048-bit RSA (secret key available) Comment: Usage:Signing, Encryption, Certifying User-IDs Comment: Fingerprint:6BDC829FEABC7782CB8E4722312FF80AB00549E7 mQENBFz1B7ABCAC/p7phmRYxpkQvFLsR0XuvdoQlmuh48V5hLqknXzhXHu1GjUn3 qIsCmm++1F94DQ2t8XSJTCAEHbDLdHdXf69cJLr4MqZKvKPHpnK89thuQOEV5WuO kywy3db4JNerGA04HH7VSuKhljC5KCYoF2UIVaMepCGXHTmVu51nh0h5aSkZlkjV eTXlcjvmgdgBnLt2+DAkC/Wn6VeSTl1/0vOVcuOapcG2z9hUV8C85g8WHtAZf5Rj rYuLIs1t7+x2ZFAHb12I6eK4zgnO1x40e1aVoKqR040JK6SXRY7Z9k7kpxrjL3ah 6KRL2dhmG8DVAoN6bKMq5mtPe8qhJ2uD4e1LABEBAAG0MExlYXNlUGxhbiA8cmVz cG9uc2libGUtZGlzY2xvc3VyZUBsZWFzZXBsYW4uY29tPokBVAQTAQgAPhYhBGvc gp/qvHeCy45HIjEv+AqwBUnnBQJc9QewAhsDBQkDw6BwBQsJCAcCBhUKCQgLAgQW AgMBAh4BAheAAAoJEDEv+AqwBUnnZ9UH/Rc75f2jrCfWXUYPEX7A26tRNqLP5Xp+ 8SDVwLgRPZD6oa3LzfWuPU/cYGMPUcZHN1lyQM9V3CGA+3MnH4w6DTPkjnxv78sg yequ10B+0P8PrZVzUCDXxiK8q/Trwjtqidbo8/S9h/CwD6k+u7B/6rCkiYztoTZw aR7WcUZrF3Hp/Q2FFVR0WftK4ur8+4ZF/x2svhiosV0wJ+yaIAxnBBfMMMwteAh3 jmqmHBC+dUHB2DfkcG7YzJvYu4/4AdlUkjgB3EJFDlHWZaZ6Qg2A58MKwt3YLOBF zet7baFIgaRi1oaohpHS46eEMFifomGY3fYcwtlvcMt14Jh7A+2ns+e5AQ0EXPUH sAEIAMxYAUT5xVJucRDSHkylfJjvvIUdE4v0qVM3/WeNe5UlxYwJO18DJsOAIXXX wA3D2Z0LM59uDt2UEI5mBKv79Cp+dZsZx2nxnmvDs6eNe5CYMatu5EFeYH0He98a VVsBoNtSlTehcsFEcg79GUimY+Be394HAwwKVDQ0WGmp8lur3UAXy+B1PW5oNb5Y Z4N5UWKFxQPZHbZ65+qUtPZGYV3PdNnlRhqJw6RxfiXpQ4GPAWvHls1yZPJ4N9y3 W04CVQLGK4PBELR6kLmUzvsBT6W5Dq+AowOvF5LmBMS1bsKMLBmx6G1iF3bmQTaZ h5KWri2H/xuKXMqqLHd05yv3RZMAEQEAAYkBPAQYAQgAJhYhBGvcgp/qvHeCy45H IjEv+AqwBUnnBQJc9QewAhsMBQkDw6BwAAoJEDEv+AqwBUnnctsIAKp8WZwYOLmX rY70kFveZwkfb4Fd650XCLEj6SkFECwUzeGn0Lr1KI1yb0YyLoDds4MdWI3TuSGC MnFP2g0Mmw/+cXXKR6QDTAuH/FFDRqVo8vrl5OJe/RknTKsgqslD0H3q64dlXxtB XF+ymRjm40qITrc8HXS2QFe73JDyu9+ulyZf4AvFXY4WkDyql/M3a2DI0XyhbrN2 NsmAwk4+eS/yyoHuR1PQJgRs1YjVIvYILyU7DZ94KanRUtBW7uo89Zg9Uek0VZbi 78lw5XG1wOOMBovNLFdMgBq/o0bRJPldObBKrq8/b0rhXmcfjM5VDCQJlu+l0n3H YEsObegLMBQ= =SfxF -----END PGP PUBLIC KEY BLOCK-----