Vulnerability Disclosure Program

Our Vulnerability Disclosure Program is intended to minimize the impact that any security flaws have on our tool or users. In order to qualify to the Program, the vulnerability must exist in the latest public release. You should remember that only security vulnerabilities will qualify.

Guidelines And Scope Limitations

Prior to reporting, please review the following information including our vulnerability disclosure program, scope, and other guidelines. To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, we ask that you:

  • Follow this Disclosure Program, as well as any other relevant agreements
  • Do not cause any harm, hinder application fluency or act against our Terms of Use Agreement
  • Do not intentionally access non-public Kommo data anymore than is necessary to demonstrate the vulnerability.
  • Do not access, modify, destroy, save, transmit, alter, transfer, use or view data belonging to anyone other than yourself. If a vulnerability provides unintended access to data, please cease testing, purge local information, and submit a report immediately.
  • Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience.
  • Do not compromise the privacy or safety of our customers and the operation of our services. Such activity will be treated as illegal.
  • Keep the details of any discovered vulnerabilities confidential, according to this Disclosure Program. Uncoordinated public disclosure of a vulnerability may result in disqualification from this program.
  • Comply with applicable laws and regulations.
  • Use only the official channels designated (see “Reporting”) to discuss vulnerability information with us

When conducting genuine in scope vulnerability research according to this Disclosure Program, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this Disclosure Program when conducting genuine vulnerability research.
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls when conducting genuine vulnerability research according to this Disclosure Program.
  • Exempt from restrictions in our Terms of Use Agreement that would interfere with conducting genuine vulnerability security research, and we waive those restrictions on a limited basis for genuine vulnerability research done under this Disclosure Program.
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

We reserve our right not to act in case of findings with no real risk impact on our data integrity and security. All research violating this Program terms, Terms of Use Agreement, Safety and Security and GDPR-related documentation as well as governing law shall be treated as acting in bad faith and in an illegal manner. We are not obliged to provide remuneration, fee or rewards for any vulnerability disclosure – such action remains in our full discretion.

If at any time you have concerns or are uncertain whether your security research is consistent with this Disclosure Program, please submit a report through one of our official Reporting channels before going any further.

Scope

At this time, the following services and applications are in-scope:

  • Web application and infrastructure: https://www.kommo.com
  • Any of third level subdomain Kommo.com
  • Anything with significant impact across our entire security posture or infrastructure

Out Of Scope

We accept only manual or semi-manual tests. All findings coming from automated tools or scripts will be considered as out of scope. Furthermore, all issues without clearly identified security impact, missing security headers, or descriptive error messages will be considered out of scope.

These items also are considered to be out of scope:

  • Attacks designed or likely to degrade, deny, or adversely impact services or user experience (e.g., Denial of Service, Distributed Denial of Service, Brute Force, Password Spraying, Spam...).
  • Attacks designed or likely to destroy, corrupt, make unreadable (or attempts therein) data or information that does not belong to you.
  • Attacks designed or likely to validate stolen credentials, credential reuse, account takeover (ATO), hijacking, or other credential-based techniques.
  • Intentionally accessing data or information that does not belong to you beyond the minimum viable access necessary to demonstrate the vulnerability.
  • Performing physical, social engineering, or electronic attacks against our personnel, offices, wireless networks, or property.
  • Security issues in third-party applications, services, or dependencies that integrate with Kommo products or infrastructure that do not have a demonstrable proof of concept for the vulnerability (e.g., libraries, SAAS services).
  • Security issues or vulnerabilities created or introduced by the reporter (e.g., modifying a library we rely on to include a vulnerability for the sole purpose of receiving a reward).
  • Attacks performed on any systems not explicitly mentioned as authorized and in-scope.
  • Reports of missing “best practices” or other guidelines which do not indicate a security issue.
  • Attacks related to email servers, email protocols, email security (e.g., SPF, DMARC, DKIM), or email spam.
  • Missing cookie flags on non-sensitive cookies.
  • Reports of insecure SSL/TLS ciphers (unless accompanied with working proof of concept).
  • Reports of how you can learn whether a given client can authenticate to a Kommo product or service.
  • Reports of mappings between code names and client names.
  • Reports of simple IP or port scanning.
  • Missing HTTP headers (e.g. lack of HSTS).
  • Email security best practices or controls (e.g. SPF, DKIM, DMARC).
  • Software or infrastructure bannering, fingerprinting, or reconnaissance with no proven vulnerability.
  • Clickjacking or self-XSS reports.
  • Reports of publicly resolvable or accessible DNS records for internal hosts or infrastructure.
  • Domain-based phishing, typosquatting, punycodes, bitflips, or other techniques.
  • Violating any laws or breaching any agreements (or any reports of the same).

Reporting

Your findings should be supported by clear and precise documentation with no speculative information. All findings should have an indication of relevance and impact. Remember to provide a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during the discovery that will allow us to reproduce the vulnerability.

To ensure that your observations are properly reported you shall use only approved channels, namely you should report discovered vulnerability via email to security@team.amocrm.com