Responsible Disclosure Policy

At COFRA Holding, we work hard to maintain and improve the security of our systems, and welcome your help in this perspective. In case you discover any vulnerability COFRA kindly asks you to report this vulnerability to us directly, as set out in our Responsible Disclosure policy below, so we are able to take timely action.

We would like to ask you to:

  • E-mail your findings to secops@cofraholding.com, as soon as possible. Please use the PGP key of secops@cofraholding.com (fingerprint EFE7 5E99 894F B7E1 3713 A8EE 48BE 263F CCAD 6F1A) to prevent information from falling into the wrong hands

  • Not exploit vulnerabilities, e.g. by downloading more data than is needed to demonstrate the vulnerability, looking into third-party data, deleting or modifying data. Be extra cautious when personal data is involved. Do not reveal the problem to others until it has been resolved

  • Not share information on vulnerabilities until they have been resolved and erase any data obtained through vulnerabilities as soon as possible

  • Not attack physical security or third-party applications, use social engineering, spam or orchestrate (distributed) denial of service attacks

  • Provide sufficient information to allow us to reproduce the vulnerability and provide a quick resolution. An IP address or URL of the affected system with a description of the vulnerability will usually be sufficient, but complex vulnerabilities may need additional information

COFRA’s Responsible Disclosure policy is not an invitation to actively scan our company network for vulnerabilities. Our systems are being monitored continuously. As a result, there is a good chance that a scan will be detected and our Security Operation Center (SOC) will investigate it.

COFRA promises that:

  • Any of your personal data will be processed in accordance with the General Data Protection Regulation

  • We will respond to your report within five business days with our evaluation of the report and an expected resolution date

  • If you have followed the instructions above, we will not take any legal action against you regarding the activities leading to the report

  • We will handle your report confidentially, and will not share your personal information with third parties without your permission unless an authorized Authority demands this

  • We will keep you informed of our progress in resolving the vulnerability

  • Reporting anonymously or under a pseudonym is possible. Please be aware that we will not be able to contact you on the next steps, our progress or any reward for the report

  • As a token of our appreciation for your help, we offer a reward for any first report of an unknown vulnerability. The exact reward will be determined by the severity of the vulnerability and the quality of the report, ranging from an honourable mention to a gift

  • We strive to resolve any vulnerability as soon as possible

Excluded from this Responsible Disclosure policy are:

  • Social engineering or phishing of our employees, customers or suppliers

  • Any (attempts of) physical attacks against our property, infrastructure, or data centres

  • Denial of service attacks

  • Self-XSS

  • Report from automated tools and scans

  • Bugs in 3rd party software

  • Missing cookie flags on non-sensitive cookies

  • Missing security headers which do not lead directly to a vulnerability (unless you deliver a PoC)

  • DKIM/SPF/DMARC issues

  • Version exposure (unless you deliver a PoC of working exploit)

  • Directory listing with already publicly readable content