Security and Vulnerability Disclosure Policy

If you believe you have found a security issue that meets our definition of a vulnerability, please submit the report to dpo@pulso-group.com using the reporting guidelines.

Definition of a vulnerability

We consider a security vulnerability to be a weakness in one of our websites or infrastructure that could allow an attacker to impact the confidentiality, integrity, or availability of the website or infrastructure.

We do not consider the following types of findings to be security vulnerabilities:

• Descriptive error messages.
• Fingerprinting / banner disclosure.
• Clickjacking and issues only exploitable through clickjacking.
• Low impact Cross-Site Request Forgery (e.g. logout CSRF).
• Content spoofing.
• Presence of application or web browser autocomplete or save password functionality.
• Lack of Secure / HTTPOnly flags on non-sensitive cookies.
• Weak captcha or captcha bypass.
• Login or Forgot Password page brute force and account lockout not enforced.
• Username / email enumeration.
• Missing HTTP security headers without a proof of concept demonstrating the vulnerability (e.g. Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP, Content-Security-Policy-Report-Only, Cache-Control and Pragm)
• HTTP / DNS cache poisoning.
• DNS zone transfers.
• SSL / TLS Issues (e.g. BEAST, BREACH, Renegotiation attack, forward secrecy not being enabled, weak/insecure cipher suites)
• Self-XSS reports will not be accepted. Similarly, any XSS where local access is required (i.e. User-Agent Header injection) will not be accepted. The only exception will be if you can show a working off-path MiTM attack that will allow for the XSS to trigger.
• Vulnerabilities that are limited to unsupported browsers will not be accepted (i.e. "this exploit only works in IE6/IE7").
• Known vulnerabilities in used third-party software, libraries, or reports that an outdated third-party software or library (e.g. Plesk, jQuery, Apache, …) is used unless you can prove exploitability.
• Missing or incorrect SPF records of any kind.
• Missing or incorrect DMARC records of any kind.
• Source code disclosure vulnerabilities.
• Information disclosure of non-confidential information (e. g. issue id, project id, commit hashes).
• The ability to upload/download viruses or malicious files to the platform.
• Email bombing
• Request Flooding
• Lack of rate limiting
• CSV Injection
• UI and UX issues, including spelling mistakes.

Rules

• The use of automated scanners is strictly prohibited.
• Destructive or intrusive testing is strictly prohibited.
• You must ensure that customer data is not affected in any way as a result of your testing.
• If you believe to have found sensitive data (e.g. login credentials, API keys, ...) or a way to access sensitive data (i.e. through a vulnerability), please report it but do not attempt to successfully validate if it works.
• Reports need to be submitted in plain text. Associated pictures and videos are accepted as well as long as they're in standard formats. Non-plain text reports (e.g. PDF, Word, ...) are not accepted.
• Do not conduct non-technical attacks such as social engineering, phishing or unauthorized access.
• Do not conduct physical attacks on equipment, facilities or employees.
• Do not conduct denial of service attacks.
• Use non-destructive and non-intrusive payloads for proof of concepts.

Acceptable payloads

Scope

Any domain or system that is not listed here is strictly out of scope.

• pulso-group.com and its subdomains
• sites, services or systems managed by Pulso Europe BV

If you have found a vulnerability that is not in the scope but is related to Pulso Europe BV, we would appreciate it if you follow the same reporting guidelines as if it were in scope.

Reporting guidelines

Please include the following information in your report, preferably in English:

• A brief summary of the vulnerability
• Type of issue (cross-site scripting, SQL injection, remote code execution, etc.)
• Domain and URL where the vulnerability was found
• Step-by-step instructions to reproduce the issue including:
  • The endpoint URL's
  • Parameters and payloads used (redact any personal or sensitive information)
  • Source of any scripts or command line inputs used
  • Request details, screenshots and/or recordings are highly appreciated
• Any proof-of-concept or exploit code required to reproduce
• The potential impact of the vulnerability (i.e. what data can be accessed or modified)
• Possible mitigations, fixes or security controls are highly appreciated

Private disclosure

Vulnerabilities may be disclosed to Pulso Europe BV privately.
Publishing details about vulnerabilities is done at our own discretion.

We ensure that we remain responsive and prioritize reported vulnerabilities based on their severity, likelihood and associated risks.
In case you do not receive a reply to your report within 10 business days, it is likely that your e-mail was marked as spam and you may contact us by telephone.

Safe harbour

You are expected to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy and/or laws, please submit your questions to d1093474095p782709223o1260514248@749833210p297595080u1813842496l610978392s1952333396o2134177826-847735085g1898931510r208074226o202481217u1996354186p532502161.375132035c1363804063o2000555985m1040401273.

Pulso Europe BV will not take legal action against you for providing the details as described in the reporting guidelines and complying with this policy.

Rewards

Any compensation is at Pulso Europe BV's discretion only.
Any compensation that you may receive may be taxable.
Reporting and ensuring that you pay the appropriate tax on it is your responsibility.

Acknowledgements

Khurram Shoaib - Cyber Security Researcher

End note

Thank you for helping us keep our websites safe!