Responsible Disclosure

Did you find a potential vulnerability in an Open Social platform or system? Read here how to report this through our responsible disclosure process.

Responsible disclosure process

At Open Social, we invest significant effort in maintaining the security of our systems; however, there may still be vulnerabilities that go unnoticed. If you identify a potential vulnerability that could impact our systems or lead to the disclosure of our customer data, we kindly request that you report it to us. This will enable us to address the issue and enhance the protection of our customers and systems.

Our responsible disclosure policy is not an invitation to actively scan our sites or networks for vulnerabilities. We monitor these ourselves. Consequently, it could be that we spot such a scan, have it investigated by our team, which may result in unnecessary costs.

What do we ask of you?

  • Do not use physical security attacks, social engineering or hacking tools, such as vulnerability scanners.
  • Share your findings by sending a secure email to security@getopensocial.com. If you wish to include screenshots or a formatted write-up, please upload it in PDF format.
  • Do not exploit the vulnerability or issue you have discovered, such as by downloading more data than necessary to demonstrate the vulnerability or by deleting or modifying others' data.
  • Do not disclose the issue to others until it has been resolved. Please refrain from publishing any information until we have reviewed the content and provided our approval, to ensure that no sensitive information is disclosed.
  • Avoid sending unnecessary messages and do not address groups of people to inquire about updates or rewards.
  • After your report has been closed, you are required to delete any confidential information obtained during your investigation.

What we promise

When adhering to the responsible disclosure process, we commit to the following:

  • We will analyze your report and respond within several business days following submission.
  • We will refrain from taking legal action against you, provided that the guidelines of the disclosure process are adhered to.
  • We will treat your report with the utmost confidentiality and will not disclose your personal information to third parties without your consent.
  • We will keep you updated on the progress of resolving the issue.
  • We will acknowledge you as the discoverer of the issue (unless you prefer otherwise).
  • As a token of our appreciation for your assistance, we offer a reward for each valid report of a security issue that was previously unknown to us. Payment will be issued after the issue has been resolved. The reward amount will depend on various factors, including the impact on Open Social and the accuracy of the report. The final amount will be determined by Open Social and is non-negotiable.
  • After remediation, we would be pleased to review your write-up, blog, or video if you wish to publish your findings.

Rewards

Depending on the severity of the identified vulnerability, we will provide a reward varying from gift cards valued €25,- to €100,-.

Definition of a vulnerability

Open Social defines a security vulnerability as a weakness in our websites or infrastructure that may affect the confidentiality, integrity, and/or availability of these systems. Given the broad nature of this definition, we recognize that you may raise concerns that are either already known or not classified as security issues by Open Social. To clarify, the following types of findings are not categorized as security vulnerabilities:

  • Auto-completion settings on forms, whether enabled or disabled.
  • Absence of cookie attributes on non-sensitive cookies, such as missing HTTP-only flags on analytics cookies.
  • The presence or absence of HTTP headers, including X-Frame-Options, CSP, no-sniff, etc., unless they are part of a solution for another related vulnerability.
  • DNS dangling and subdomain takeover.
  • Email security measures, including DKIM, DMARC, and SPF.
  • SSL/TLS issues related to outdated or invalid certificates.
  • Certain low-risk vulnerabilities or risks that are already known. While these may still be considered security vulnerabilities, they are either in the process of remediation or have been accepted.
  • Vulnerabilities of the same type reported separately, such as XSS in multiple parameters or unvalidated redirects in different locations. These are regarded as a single vulnerability.

The following list outlines items that we would certainly classify as security vulnerabilities:

  • Unauthorized access to customer data, including but not limited to names, order information, and other personal details.
  • Remote Code Execution (RCE).
  • Server-Side Request Forgery (SSRF).
  • Cross-site Scripting (XSS).
  • Cross-site Request Forgery (CSRF).
  • Injection attacks, such as SQL Injection (SQLi).
  • XML External Entity Attacks (XXE).
  • Access Control Vulnerabilities (including Insecure Direct Object Reference issues, etc.).
  • Path/Directory Traversal Issues.

If you have any uncertainties, please do not hesitate to submit a potential vulnerability to our security team for review and consideration.

Third-party service vulnerabilities

At Open Social, we integrate with various third-party services to facilitate certain functions, such as customer support. While we are dedicated to ensuring the security of our own infrastructure, we recognize that vulnerabilities within third-party services are beyond our direct control.

If you identify a potential vulnerability within a third-party service that we utilize, we kindly request that you contact the service provider directly as well. Should you report such an issue to us, we will strive to redirect your concern to the appropriate vendor so they can evaluate and address the matter accordingly.

Report a vulnerability

If you believe you have identified a security issue that may be classified as a security vulnerability, or if you have any other questions or concerns you would like to address, please contact us via email at security@getopensocial.com . Preferably send the report encrypted using OpenPGP.