Vulnerability Disclosure Policy

Updated: February 10th, 2023

At KnowledgeOwl, we take the security and integrity of our customer’s data seriously. As such, we welcome input from security researchers to ensure that, should any vulnerabilities in KnowledgeOwl arise, that they can be addressed quickly and effectively. However, to ensure that our customers are not impacted during any vulnerability discovery activities, please follow the terms below before testing for any vulnerabilities.

KnowledgeOwl pledges to not initiate any legal action against researchers that follow the terms below.

We do not offer any monetary rewards (e.g. bounties) for vulnerabilities reported to us.

Scope

Please restrict any testing to the following sites:

app.knowledgeowl.com
support.knowledgeowl.com
www.knowledgeowl.com

Testing KnowledgeOwl customer sites is not allowed.

Creating 1 (one) trial account per researcher is allowed. Should a researcher require a second account, or should the trial period expire before testing is complete, please contact us.

Restrictions

Generally, please do not perform any activities that will negatively impact users or normal functionality of KnowledgeOwl. Additionally, the following actions are specifically restricted:

Modification of data owned by other users
Deletion or corruption of data owned by other users
Denial of service attacks
Social engineering attacks including phishing
Email bombing or similar high-volume attacks
Mass submissions to or scanning of our contact us or support forms
Creating large amounts of trial accounts

Please do not violate any laws or agreements in order to locate vulnerabilities.

Reporting a Vulnerability

Please report any details of the discovered vulnerability to the following email address: security@knowledgeowl.com

The more details that the researcher is able to provide, the faster we will be able to respond to any vulnerabilities.

Vulnerability Acceptance and Remediation

KnowledgeOwl will make an effort to address every vulnerability report that is submitted to us. Following submission, we will attempt to reproduce the finding to ensure that it is valid and impactful and not a duplicate or previously accepted risk. Should the vulnerability be valid and require remediation, KnowledgeOwl will internally discuss what actions need to be taken and how the vulnerability will be remediated. We will endeavor to keep in contact with the security researcher during this process and provide updates on projected remediation timeline and will inform the researcher of vulnerability remediation. If the researcher wishes to disclose the discovered vulnerability publicly, we ask that they talk to us first, before disclosing the issue publicly.

We do not offer monetary bounties for accepted vulnerabilities. Researchers that report vulnerabilities to us may be eligible for addition to our hall of fame.

KnowledgeOwl is not accepting the following types of reports:

Reports of the following types are currently not eligible for KnowledgeOwl's Vulnerability Disclosure Program and will not be accepted.

Email Spoofing (including DMARC and SPF records)
Missing Security Headers (such as the HSTS header), unless the lack of such a header directly leads to a vulnerability
Sessions not expiring on security events, such as password changes
Password reset tokens not being invalidated by email changes
Clickjacking
Vulnerabilities that require odd or unlikely user interaction
Self-XSS
XSS in the contents of files uploaded to the file library, unless it can be exploited directly in the UI
- For example, a report about an HTML file uploaded to the file library, that requires the user to open the file directly using the file's Cloudfront link would not be accepted
XSS reports for knowledge base frontends or frontend previews (e.g. iframes like those in the style settings). Only XSS reports for app.knowledgeowl.com are accepted.
- For example, XSS in the descriptions of categories or articles that executes only when viewing the knowledge base frontend or its previews (e.g. {knowledgebase}.knowledgeowl.com) are not accepted.
Logout Cross-Site Request Forgery
Resource Flooding
Missing Rate Limiting
Weak Password Policy
EXIF Data Not Stripped on Images
Browser History Management
Host header injection, unless an exploit is demonstrated (such as cache-poisoning or XSS)
Missing Email Verification
User Account Enumeration
Missing Certificate Authority Authorization Record
Cross Domain Script Include
Open CVEs in third-party JavaScript libraries, unless an exploit is demonstrated
Missing DNSSEC Records

Questions

If you have any questions about our vulnerability disclosure policies or process, please feel free to email us at security@knowledgeowl.com

Thank You!

KnowledgeOwl would like to thank the following security researchers for their contributions of vulnerability reports and ensuring that KnowledgeOwl can continue to protect the data of its users.

Name	Links
Volodymyr "Bob" Diachenko	https://www.linkedin.com/in/vdyachenko https://twitter.com/MayhemDayOne
Rohit Soni	https://www.linkedin.com/in/rohit-soni-r007/
Ritik Sahni	https://twitter.com/RitikSahni22
Abdelali Khalfi	https://twitter.com/abdela1i
Nayanjyoti Roy	https://www.facebook.com/nrh4ck3r
Jayson Vasquez Rubio	https://facebook.com/100008995930508
Jeffrey Hoekema	https://linkedin.com/in/jeffrey-hoekema
Romel Lanza	https://www.facebook.com/romhel.lanza
Pethuraj M	https://www.pethuraj.in \| https://www.pethuraj.com
Priyanka Narayan	https://www.linkedin.com/in/priyanka-narayan-4bb6a416b
Soundar M	https://www.linkedin.com/in/soundar-m-4647b3149/
Yash Agarwal	https://www.linkedin.com/in/yash-agarwal-17464715b/
Anon Tuttu Venus	https://in.linkedin.com/in/anonvenus
Badal Sardhara	https://www.linkedin.com/in/badal-sardhara-9b43a41a5
Mahendra Purbia Rajasthani Hacker	https://www.linkedin.com/in/mahendra-purbia-185b44186
Nikhil Ahire	https://www.linkedin.com/in/nikhil-ahire-b28b4b158
Yogeshwaran Chandrasekaran	https://www.linkedin.com/in/yogeshwaran-chandrasekaran-23283518a
Farah Hawa	https://linkedin.com/in/farah-hawa-a012b8162
Akshay Parse	https://www.linkedin.com/in/akshay-parse-0b1176199
Pritam Mukherjee	https://www.linkedin.com/in/pritam-mukherjee-urvil-b75ab9b9/
Robert Aaron	https://linkedin.com/in/robert-aaron-14735b188
Mohamed Saqib C	https://www.linkedin.com/in/mohamed-saqib/
Aamir Usman Khan	https://www.linkedin.com/in/aamir-u-khan/
Jerry Thomas	https://www.linkedin.com/in/jerry-thomas-4a1a69169/
Midhun S	https://www.linkedin.com/in/midhun-s-8a5939150
Akhil Sabu	https://www.linkedin.com/in/akhil-sabu-a2136497
Gawasharks	https://twitter.com/gawasharks
Nirjhar Banik	https://www.linkedin.com/in/neerjhar
Agrah Jain	https://www.linkedin.com/in/agrahjain
Akshay Gaikwad	https://www.linkedin.com/in/akshay-gaikwad-272878165
Kartik Adak	https://www.linkedin.com/in/kartik-adak-81a25918a/
Souvik Roy	https://www.linkedin.com/in/souvikroyofficial
Lokesh Goyal	https://www.linkedin.com/in/lokesh-goyal-79a147157
Bindiya Sardhara	https://www.linkedin.com/in/bindiya-sardhara-24b1a2b4/
Midhun Mohanan	https://www.linkedin.com/in/midhun-mohanan-629173184/
Harsh Vijaykumar Parasiya	https://www.linkedin.com/in/harsh-parsiya-23109b123 https://www.facebook.com/harsh.parasiya
d3vpoo1	https://gitlab.com/jrckmcsb
Chirag Ketan Prajapati	https://www.linkedin.com/in/chirag-prajapati-1bb788191
Gourab Sadhukhan	https://www.linkedin.com/in/gourab-sadhukhan-71158216a
Nitesh Pandey	https://www.linkedin.com/in/osintnitesh
Karan Keswani	https://www.linkedin.com/in/karankeswani1203/
Purbasha Ghosh	https://www.linkedin.com/in/purbasha-ghosh-18b3711a1/
MAHIN VM	https://in.linkedin.com/in/mahin-vm-57413315a
Nishant Narendra Lungare	https://www.linkedin.com/in/nishant-lungare-28b841157
Vikash Kumar	https://www.linkedin.com/in/vikash-kumar-7b938a176 https://twitter.com/vksutk
Shubham Kumar	https://www.linkedin.com/in/shubham-kumar-948722189/
Abhijit P. Mali	~~https://twitter.com/Abhijitmali183~~
JIMMI SIMON	https://www.linkedin.com/in/jimmisimon/ \| http://jimmisimon.in/
Praful Apuri	https://www.instagram.com/itz_praffy/ \| https://twitter.com/itzpraffy
Shubhdeep	https://www.linkedin.com/in/shubhdeep404
Dhanumaalaian R	https://www.linkedin.com/in/dhanumaalaian-r-b34338189/ \| https://twitter.com/dhanumaalaian
Akash.H.C	https://www.linkedin.com/in/akash-h-c-4a4090a7/
Tejavardhan Vishwakarma	https://www.linkedin.com/in/tejavardhan-vishwakarma-32791273
Akash Patil	https://twitter.com/skypatil98
Vani K G	https://www.linkedin.com/in/vani-k-g-016780197
Ramesh Kumar Sekar	https://www.linkedin.com/in/ramesh-kumar-sekar-80964b146/
Anshuman Prajapati	https://www.linkedin.com/in/anshuman-prajapati-b03404195/
Pratik Khalane	https://www.linkedin.com/in/pratik-khalane/
Chetan Pathade	https://www.linkedin.com/in/chetan-pathade/
Souvik Mondal	https://www.linkedin.com/in/souvik-mondal-8b3a0a1b3/
Eeshwar Dronavalli	https://www.linkedin.com/in/eeshwar-dronavalli-5a16ba16a/
Sanidhya Ved	https://www.linkedin.com/in/sanidhya-ved-0734501a2
Kinshuk Kumar	https://www.linkedin.com/in/kinshuk-kumar-4833551a1/
Amit Kumar	https://www.linkedin.com/in/amit-kumar-9853731a4
Ali Hassan Ghori	https://www.linkedin.com/in/alihassanghori/
Mohammed Wasim Khan	https://www.linkedin.com/in/wasimkhan844
Saranya N	https://www.linkedin.com/in/saranya-n-106217197/
Maulik Vaidh	https://twitter.com/maulik1827
Jha kalpeshkumar D.	https://in.linkedin.com/in/kalpeshkumar-jha-b28b7851 https://twitter.com/jha_kalpesh
Rajvee Chauhan	https://www.linkedin.com/in/rajvichauhan
Poonam Panchal	https://www.linkedin.com/in/poonam-panchal-8983b6182
Niraj Mahajan	https://www.linkedin.com/in/niraj1mahajan/
Shoeb Raseed Shaikh	https://www.linkedin.com/in/ishoebshaikh
Durgesh Patil	https://www.linkedin.com/in/durgeshpatil1999
Alok Verma	https://www.linkedin.com/in/alok-verma-098081114 https://www.uedeveloper.com/
Keyur Mehta	https://www.linkedin.com/in/keyur-mehta4455
Ashutosh Raval	https://www.linkedin.com/in/0one-ashutosh-%E2%98%80%EF%B8%8F-b58b89137
Kartik Khurana	https://www.linkedin.com/in/kartik-khurana-878739175
Dhruvin Shah	https://www.linkedin.com/in/dhrruvin/
Patel Riya	https://www.linkedin.com/in/riya--patel
Dharmishtha Mandhalkar	https://www.linkedin.com/in/dharmishtha-mandhalkar-24057820a
Vishal Vishwakarma	https://www.instagram.com/rootxvishal/
Sachin Kalkumbe	https://www.linkedin.com/in/sachin-kalkumbe-462824201
Saransh Saraf (MR23R0)	https://www.linkedin.com/in/saransh-saraf-2b514b20b/
EZOUINE ACHRAF
Bikash Kumar Prasad	https://www.linkedin.com/in/bikash-prasad-b2b0b41a5/
Hydrogen	https://twitter.com/bikz21
Pavan Saxena	https://www.linkedin.com/in/pavan-saxena2506
Younghun Lee 이영훈	https://www.linkedin.com/in/younghun-lee-2407b1113/
Sidhu Mossewala	https://www.linkedin.com/in/ritik-jangra-03b80a21b
Yash Kushwah (@cyberyash951)	https://www.linkedin.com/mwlite/in/yash-kushwah-a80449229
Milan Jain (Scriptkiddie)	https://www.linkedin.com/in/milan-jain-scriptkiddie-50a738213