Vulnerability Disclosure Policy

Updated: October 7th, 2021

At KnowledgeOwl, we take the security and integrity of our customer’s data seriously. As such, we welcome input from security researchers to ensure that, should any vulnerabilities in KnowledgeOwl arise, that they can be addressed quickly and effectively. However, to ensure that our customers are not impacted during any vulnerability discovery activities, please follow the terms below before testing for any vulnerabilities.

KnowledgeOwl pledges to not initiate any legal action against researchers that follow the terms below. 

We do not offer any monetary rewards (e.g. bounties) for vulnerabilities reported to us.

Scope

Please restrict any testing to the following sites:

  • app.knowledgeowl.com 
  • support.knowledgeowl.com
  • www.knowledgeowl.com

Testing KnowledgeOwl customer sites is not allowed.

Creating 1 (one) trial account per researcher is allowed. Should a researcher require a second account, or should the trial period expire before testing is complete, please contact us.

Restrictions

Generally, please do not perform any activities that will negatively impact users or normal functionality of KnowledgeOwl. Additionally, the following actions are specifically restricted: 

  • Modification of data owned by other users 
  • Deletion or corruption of data owned by other users
  • Denial of service attacks
  • Social engineering attacks including phishing
  • Email bombing or similar high-volume attacks
  • Mass submissions to or scanning of our contact us or support forms
  • Creating large amounts of trial accounts

Please do not violate any laws or agreements in order to locate vulnerabilities.

Reporting a Vulnerability

Please report any details of the discovered vulnerability to the following email address: security@knowledgeowl.com

The more details that the researcher is able to provide, the faster we will be able to respond to any vulnerabilities.

Vulnerability Acceptance and Remediation

KnowledgeOwl will make an effort to address every vulnerability report that is submitted to us. Following submission, we will attempt to reproduce the finding to ensure that it is valid and impactful and not a duplicate or previously accepted risk. Should the vulnerability be valid and require remediation, KnowledgeOwl will internally discuss what actions need to be taken and how the vulnerability will be remediated. We will endeavor to keep in contact with the security researcher during this process and provide updates on projected remediation timeline and will inform the researcher of vulnerability remediation. If the researcher wishes to disclose the discovered vulnerability publicly, we ask that they talk to us first, before disclosing the issue publicly.

We do not offer monetary bounties for accepted vulnerabilities. Researchers that report vulnerabilities to us may be eligible for addition to our hall of fame.

KnowledgeOwl is not accepting the following types of reports:

  • Email Spoofing (including DMARC and SPF records)
  • Missing Security Headers (such as the HSTS header), unless the lack of such a header directly leads to a vulnerability
  • Sessions not expiring on security events, such as password changes
  • Clickjacking
  • Vulnerabilities that require odd or unlikely user interaction
  • Self-XSS
  • XSS in the contents of files uploaded to the file library, unless it can be exploited directly in the UI
    • For example, a report about an HTML file uploaded to the file library, that requires the user to open the file directly using the file's Cloudfront link would not be accepted
  • Logout Cross-Site Request Forgery
  • Missing Rate Limiting
  • Weak Password Policy
  • EXIF Data Not Stripped on Images
  • Host header injection, unless an exploit is demonstrated (such as cache-poisoning or XSS)
  • Missing Email Verification
  • User Account Enumeration
  • Missing Certificate Authority Authorization Record

Questions

If you have any questions about our vulnerability disclosure policies or process, please feel free to email us at security@knowledgeowl.com

Thank You!

KnowledgeOwl would like to thank the following security researchers for their contributions of vulnerability reports and ensuring that KnowledgeOwl can continue to protect the data of its users.

Name

Links

Nayanjyoti Royhttps://www.facebook.com/nrh4ck3r
Jayson Vasquez Rubiohttps://facebook.com/100008995930508
Jeffrey Hoekemahttps://linkedin.com/in/jeffrey-hoekema
Romel Lanzahttps://www.facebook.com/romhel.lanza
Pethuraj Mhttps://www.pethuraj.in | https://www.pethuraj.com
Priyanka Narayanhttps://www.linkedin.com/in/priyanka-narayan-4bb6a416b
Soundar Mhttps://www.linkedin.com/in/soundar-m-4647b3149/
Yash Agarwalhttps://www.linkedin.com/in/yash-agarwal-17464715b/
Anon Tuttu Venushttps://in.linkedin.com/in/anonvenus
Badal Sardharahttps://www.linkedin.com/in/badal-sardhara-9b43a41a5
Mahendra Purbia Rajasthani Hackerhttps://www.linkedin.com/in/mahendra-purbia-185b44186
Nikhil Ahirehttps://www.linkedin.com/in/nikhil-ahire-b28b4b158
Yogeshwaran Chandrasekaranhttps://www.linkedin.com/in/yogeshwaran-chandrasekaran-23283518a
Farah Hawahttps://linkedin.com/in/farah-hawa-a012b8162
Akshay Parsehttps://www.linkedin.com/in/akshay-parse-0b1176199
Pritam Mukherjeehttps://www.linkedin.com/in/pritam-mukherjee-urvil-b75ab9b9/
Robert Aaronhttps://linkedin.com/in/robert-aaron-14735b188
Mohamed Saqib Chttps://www.linkedin.com/in/mohamed-saqib/
Aamir Usman Khanhttps://www.linkedin.com/in/aamir-u-khan/
Jerry Thomashttps://www.linkedin.com/in/jerry-thomas-4a1a69169/
Midhun Shttps://www.linkedin.com/in/midhun-s-8a5939150
Akhil Sabuhttps://www.linkedin.com/in/akhil-sabu-a2136497
Gawasharkshttps://twitter.com/gawasharks
Nirjhar Banikhttps://www.linkedin.com/in/neerjhar
Agrah Jainhttps://www.linkedin.com/in/agrahjain
Akshay Gaikwadhttps://www.linkedin.com/in/akshay-gaikwad-272878165
Kartik Adakhttps://www.linkedin.com/in/kartik-adak-81a25918a/
Souvik Royhttps://www.linkedin.com/in/souvikroyofficial
Lokesh Goyalhttps://www.linkedin.com/in/lokesh-goyal-79a147157
Bindiya Sardharahttps://www.linkedin.com/in/bindiya-sardhara-24b1a2b4/
Midhun Mohananhttps://www.linkedin.com/in/midhun-mohanan-629173184/
Harsh Vijaykumar Parasiyahttps://www.linkedin.com/in/harsh-parsiya-23109b123
https://www.facebook.com/harsh.parasiya
d3vpoo1https://gitlab.com/jrckmcsb
Chirag Ketan Prajapatihttps://www.linkedin.com/in/chirag-prajapati-1bb788191
Rohit Sonihttps://www.linkedin.com/in/rohit-soni-r007/
Ritik Sahnihttps://twitter.com/RitikSahni22
Gourab Sadhukhanhttps://www.linkedin.com/in/gourab-sadhukhan-71158216a
Nitesh Pandeyhttps://www.linkedin.com/in/osintnitesh
Karan Keswanihttps://www.linkedin.com/in/karankeswani1203/
Purbasha Ghoshhttps://www.linkedin.com/in/purbasha-ghosh-18b3711a1/
MAHIN VMhttps://in.linkedin.com/in/mahin-vm-57413315a
Nishant Narendra Lungarehttps://www.linkedin.com/in/nishant-lungare-28b841157
Vikash Kumarhttps://www.linkedin.com/in/vikash-kumar-7b938a176
https://twitter.com/vksutk
Shubham Kumarhttps://www.linkedin.com/in/shubham-kumar-948722189/
Abhijit P. Malihttps://twitter.com/Abhijitmali183
JIMMI SIMONhttps://www.linkedin.com/in/jimmisimon/ | http://jimmisimon.in/
Praful Apurihttps://www.instagram.com/itz_praffy/ | https://twitter.com/itzpraffy
Shubhdeephttps://www.linkedin.com/in/shubhdeep404
Dhanumaalaian Rhttps://www.linkedin.com/in/dhanumaalaian-r-b34338189/ | https://twitter.com/dhanumaalaian
Akash.H.Chttps://www.linkedin.com/in/akash-h-c-4a4090a7/
Tejavardhan Vishwakarmahttps://www.linkedin.com/in/tejavardhan-vishwakarma-32791273
Akash Patilhttps://twitter.com/skypatil98
Vani K Ghttps://www.linkedin.com/in/vani-k-g-016780197
Ramesh Kumar Sekarhttps://www.linkedin.com/in/ramesh-kumar-sekar-80964b146/
Anshuman Prajapatihttps://www.linkedin.com/in/anshuman-prajapati-b03404195/
Pratik Khalanehttps://www.linkedin.com/in/pratik-khalane/
Chetan Pathadehttps://www.linkedin.com/in/chetan-pathade/
Souvik Mondalhttps://www.linkedin.com/in/souvik-mondal-8b3a0a1b3/
Eeshwar Dronavallihttps://www.linkedin.com/in/eeshwar-dronavalli-5a16ba16a/
Sanidhya Vedhttps://www.linkedin.com/in/sanidhya-ved-0734501a2
Kinshuk Kumarhttps://www.linkedin.com/in/kinshuk-kumar-4833551a1/
Amit Kumarhttps://www.linkedin.com/in/amit-kumar-9853731a4
Ali Hassan Ghorihttps://www.linkedin.com/in/alihassanghori/
Mohammed Wasim Khanhttps://www.linkedin.com/in/wasimkhan844
Saranya Nhttps://www.linkedin.com/in/saranya-n-106217197/
Maulik Vaidhhttps://twitter.com/maulik1827
Jha kalpeshkumar D.https://in.linkedin.com/in/kalpeshkumar-jha-b28b7851
https://twitter.com/jha_kalpesh
Rajvee Chauhanhttps://www.linkedin.com/in/rajvichauhan
Poonam Panchalhttps://www.linkedin.com/in/poonam-panchal-8983b6182
Niraj Mahajanhttps://www.linkedin.com/in/niraj1mahajan/
Shoeb Raseed Shaikhhttps://www.linkedin.com/in/ishoebshaikh
Durgesh Patilhttps://www.linkedin.com/in/durgeshpatil1999
Alok Vermahttps://www.linkedin.com/in/alok-verma-098081114
https://www.uedeveloper.com/
Keyur Mehtahttps://www.linkedin.com/in/keyur-mehta4455
Ashutosh Ravalhttps://www.linkedin.com/in/ashutosh-raval-b58b89137
Kartik Khuranahttps://www.linkedin.com/in/kartik-khurana-878739175
Dhruvin Shahhttps://www.linkedin.com/in/dhrruvin/
Patel Riyahttps://www.linkedin.com/in/riya--patel
Dharmishtha Mandhalkarhttps://www.linkedin.com/in/dharmishtha-mandhalkar-24057820a
Vishal Vishwakarmahttps://www.instagram.com/rootxvishal/
Sachin Kalkumbe
https://www.linkedin.com/in/sachin-kalkumbe-462824201

Start building your knowledge base today