Ayvens

Responsible Disclosure

At Ayvens, we consider the security of our systems high priority. However, despite the considerable care we take regarding security, we realise that vulnerabilities can and will remain. If you do find such a vulnerability, we would appreciate to be notified as soon as possible so we may take appropriate measures to swiftly remediate.

Please note that our responsible disclosure policy is not an invitation to actively probe our business network / internet facing services to discover vulnerabilities. These probes do generate attention of our security team and might trigger (costly) security investigations.

What we request from you

Email your findings to responsible-disclosure@leaseplan.com. Please encrypt your findings using our PGP key to prevent sensitive information from falling into the wrong hands.
Do not take advantage of the vulnerability or problem you have discovered.
Do not reveal the problem to others until it has been resolved.
Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
Do provide adequate information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, although more information might be necessary for more complex vulnerabilities.

What we promise to do at Ayvens Digital

Our Digital Security Team will confirm receipt within two business days.
We will respond to your report within three business days with our evaluation of the report and an expected resolution date.
We will always treat your notification confidentially and will never share your personal data with third parties, except when obliged to do so by law or pursuant to a court ruling.
We will keep you informed of the progress towards resolving the problem.
We consult you on whether and how the issue is to be made public. We will never do so before the problem has been resolved. If we make the issue public, we will give you credit for identifying it, but only if you wish.

What to report

Persistent Cross Site Scripting (XSS)
Cross Site Request Forgery (CSRF)
Broken Authentication
XML Injections (XXE)
SQL Injection (SQLi)
Vulnerabilities concerning Encryption with working exploit POC
Authentication Bypass (Unauthorised Sensitive Data Access)
Cross Tenant Data Leak
Directory Traversal
Security misconfiguration having a severe impact. These will be evaluated on case-by-case basis.

Please DO NOT report:

Any kind of Brute Force attacks

Username Dictionary Attack
OTP or MFA Brute Force as these mostly are serviced by third party
Forgot Password for Account lockout
Missing Rate Limiting Protection
Related to Cookies:

Missing “Secure” flag in cookie
Missing “HTTPOnly” flag in cookie
Social Engineering & Hacking
Self-XSS
Publicly accessible login pages for CMS/Administrative area
Denial of Service (DOS/DDOS) vulnerabilities
Security Headers related, such as but not limited to:

•
HTTP Strict Transport Security (HSTS)
- Public Key Pinning (HPKP)
- X-XSS-Protection
- X-Content-Options
- X-Content-Security-Policy (CSP)
- X-Webkit-CSP
HTTP Header Methods:

HTTP Trace method is enabled
OPTIONS, PUT, DELETE header methods excepted; (Only with working exploit)
Host Header Injection
Clickjacking and related exploitable attack vectors
Fingerprinting:

Banner Grabbing
Version Disclosure of public services
Cross-Site Request Forgery (CSRF) on publicly available forms for anonymous user:
Contact Form
Login Form
Autocomplete attribute is disabled
SSL/TLS Vulnerabilities related to configuration without a working Exploit:

Version Information
Weak Ciphers
SSL Forward Secrecy not Enabled
SSL attacks that are not remotely exploitable
Related to E-mail:

SPF
DKIM
DMARC
Related to DNS and Infrastructure:

Expired or Inactive domains
Missing DNSSEC
Localhost DNS record
Disclosure of known public or non-sensitive files such as robots.txt
Http 404 Error pages
Same Site Scripting

How should you report?

Describe the found issue as explicit and detailed as possible and provide any evidence you might have. You can take into account that the notification will be received by security experts such as the Ayvens Security Team. Furthermore sent the reports in English. We encourage you to send the e-mail in encrypted state. Please use the PGP key located on the bottom of this page. Include the following in your disclosure e-mail:

Which (type) vulnerability
Steps you took for reproducibility
Full URL and Payload
Screenshots

Rewards

Please be aware that Ayvens currently cannot offer rewards for (security) bug reports.

For follow-up we will ask your contact details (name, e-mail, PGP-Key and optionally a Phone number) unless you chose to report anonymously.

Your personal information is only used to approach you and undertake actions with regard to your reported vulnerability. We will not distribute your personal information to third parties without your permission. Unless, the law requires us to provide your personal information or when an external organisation takes over the investigation of your reported vulnerability. In this case we will ensure that the applicable authority will treat your personal information confidentially. We will remain responsible for your personal information.

Our PGP key -----BEGIN PGP PUBLIC KEY BLOCK----- Comment: User-ID:LeasePlan <responsible-disclosure@leaseplan.com> Comment: Created:6/3/2019 1:42 PM Comment: Expires:6/3/2021 12:00 PM Comment: Type:2048-bit RSA (secret key available) Comment: Usage:Signing, Encryption, Certifying User-IDs Comment: Fingerprint:6BDC829FEABC7782CB8E4722312FF80AB00549E7 mQENBFz1B7ABCAC/p7phmRYxpkQvFLsR0XuvdoQlmuh48V5hLqknXzhXHu1GjUn3 qIsCmm++1F94DQ2t8XSJTCAEHbDLdHdXf69cJLr4MqZKvKPHpnK89thuQOEV5WuO kywy3db4JNerGA04HH7VSuKhljC5KCYoF2UIVaMepCGXHTmVu51nh0h5aSkZlkjV eTXlcjvmgdgBnLt2+DAkC/Wn6VeSTl1/0vOVcuOapcG2z9hUV8C85g8WHtAZf5Rj rYuLIs1t7+x2ZFAHb12I6eK4zgnO1x40e1aVoKqR040JK6SXRY7Z9k7kpxrjL3ah 6KRL2dhmG8DVAoN6bKMq5mtPe8qhJ2uD4e1LABEBAAG0MExlYXNlUGxhbiA8cmVz cG9uc2libGUtZGlzY2xvc3VyZUBsZWFzZXBsYW4uY29tPokBVAQTAQgAPhYhBGvc gp/qvHeCy45HIjEv+AqwBUnnBQJc9QewAhsDBQkDw6BwBQsJCAcCBhUKCQgLAgQW AgMBAh4BAheAAAoJEDEv+AqwBUnnZ9UH/Rc75f2jrCfWXUYPEX7A26tRNqLP5Xp+ 8SDVwLgRPZD6oa3LzfWuPU/cYGMPUcZHN1lyQM9V3CGA+3MnH4w6DTPkjnxv78sg yequ10B+0P8PrZVzUCDXxiK8q/Trwjtqidbo8/S9h/CwD6k+u7B/6rCkiYztoTZw aR7WcUZrF3Hp/Q2FFVR0WftK4ur8+4ZF/x2svhiosV0wJ+yaIAxnBBfMMMwteAh3 jmqmHBC+dUHB2DfkcG7YzJvYu4/4AdlUkjgB3EJFDlHWZaZ6Qg2A58MKwt3YLOBF zet7baFIgaRi1oaohpHS46eEMFifomGY3fYcwtlvcMt14Jh7A+2ns+e5AQ0EXPUH sAEIAMxYAUT5xVJucRDSHkylfJjvvIUdE4v0qVM3/WeNe5UlxYwJO18DJsOAIXXX wA3D2Z0LM59uDt2UEI5mBKv79Cp+dZsZx2nxnmvDs6eNe5CYMatu5EFeYH0He98a VVsBoNtSlTehcsFEcg79GUimY+Be394HAwwKVDQ0WGmp8lur3UAXy+B1PW5oNb5Y Z4N5UWKFxQPZHbZ65+qUtPZGYV3PdNnlRhqJw6RxfiXpQ4GPAWvHls1yZPJ4N9y3 W04CVQLGK4PBELR6kLmUzvsBT6W5Dq+AowOvF5LmBMS1bsKMLBmx6G1iF3bmQTaZ h5KWri2H/xuKXMqqLHd05yv3RZMAEQEAAYkBPAQYAQgAJhYhBGvcgp/qvHeCy45H IjEv+AqwBUnnBQJc9QewAhsMBQkDw6BwAAoJEDEv+AqwBUnnctsIAKp8WZwYOLmX rY70kFveZwkfb4Fd650XCLEj6SkFECwUzeGn0Lr1KI1yb0YyLoDds4MdWI3TuSGC MnFP2g0Mmw/+cXXKR6QDTAuH/FFDRqVo8vrl5OJe/RknTKsgqslD0H3q64dlXxtB XF+ymRjm40qITrc8HXS2QFe73JDyu9+ulyZf4AvFXY4WkDyql/M3a2DI0XyhbrN2 NsmAwk4+eS/yyoHuR1PQJgRs1YjVIvYILyU7DZ94KanRUtBW7uo89Zg9Uek0VZbi 78lw5XG1wOOMBovNLFdMgBq/o0bRJPldObBKrq8/b0rhXmcfjM5VDCQJlu+l0n3H YEsObegLMBQ= =SfxF -----END PGP PUBLIC KEY BLOCK-----