Security Disclosure Policy

Knight Support greatly respect the investigative work into security vulnerabilities which is carried out by well-intentioned, ethical security researchers. We are committed to thoroughly investigating and resolving security issues in our platform and services in collaboration with the security community. This document defines the methods by which you can work with us to strengthen our security posture.

Scope

Vulnerabilities in Knight Support products and services are only within scope of this policy when they meet the following conditions:

  • They have not been previously reported or have not already been discovered by our own internal procedures;
  • It can be demonstrated that there would be a real impact to Knight Support, its service users or partners should the vulnerability reported be exploited by a malicious actor. The existence of a vulnerability does not necessarily demonstrate that such a potential impact exists: theoretical impacts will not be considered as within the scope of the scheme;
  • It exists within the scope of the knightsupport.org.uk domain. This includes all subdomains.

The following security issues are currently not in scope (please don’t report them):

  • Volumetric/Denial of Service vulnerabilities (i.e. simply overwhelming our service with a high volume of requests);
  • TLS configuration weaknesses (e.g. "weak" cipher suite support, TLS1.0 support, sweet32 etc.);
  • Reports indicating that our services do not fully align with "best practice" (e.g. missing security headers or suboptimal email-related configurations such as SPF, DMARC etc.);
  • Issues surrounding the verification of email addresses used to create user accounts;
  • Clickjacking vulnerabilities;
  • Self XSS (i.e. where a user would need to be tricked into pasting code into their web browser);
  • CSRF where the resulting impact is minimal;
  • CRLF attacks where the resulting impact is minimal;
  • Host header injection where the resulting impact is minimal;
  • Network data enumeration techniques (e.g. banner grabbing, existence of publicly available server diagnostic pages);
  • Reports of improper session management / session fixation vulnerabilities.

Bug Bounty

As a non-profit, our funding model means that Knight Support are unable to offer a bug bounty programme. We do however greatly appreciate the efforts of security researchers who take the time and effort to investigate and report vulnerabilities to us in line with this policy.

Reporting a Vulnerability

To report a security vulnerability to us, please contact us using the email address in our security.txt file - security@knightsupport.org.uk

Please include:

  1. The website or page in which the vulnerability exists
  2. A brief description of the class of the vulnerability

Do not include any sensitive information at this stage, if additional detail is required, we will provide a secure means of communication.

What to Expect

Our security team aims to respond within 72 hours of receipt of a valid vulnerability notification. This notification will include a reference number to allow tracking.

Upon receipt, we will triage the reported vulnerability and respond, requesting further information if needed.

If in-scope, our security team will work to remediate and, once remediated, may contact you to confirm that the remediation covers the reported vulnerability.

Guidance

Security researchers must not:

  • Access unnecessary amounts of data. For example, 2 or 3 records is enough to demonstrate most vulnerabilities (such as an enumeration or direct object reference vulnerability);
  • Violate the privacy of Knight Support users, staff, contractors, systems etc. For example by sharing, redistributing and/or not properly securing data retrieved from our systems or services;
  • Communicate any vulnerabilities or associated details via methods not described in this policy or with anyone other than your Knight Support security contact;
  • Modify data in our systems/services which is not your own;
  • Disrupt our service(s) and/or systems; or
  • Disclose any vulnerabilities in Knight Support systems/services to 3rd parties/the public prior to Knight Support confirming that those vulnerabilities have been mitigated or rectified. This does not prevent notification of a vulnerability to 3rd parties to whom the vulnerability is directly relevant, for example where the vulnerability being reported is in a software library or framework

If you are unsure about the status of a 3rd party to whom you wish to send notification, please email security@knightsupport.org.uk for clarification. We request that any and all data retrieved during research is securely deleted as soon as it is no longer required and at most, 1 month after the vulnerability is resolved, whichever occurs soonest.

If you are unsure at any stage whether the actions you are thinking of taking are acceptable, please contact our security team for guidance (please do not include any sensitive information in the initial communications): security@knightsupport.org.uk.

Legal

This policy is designed to be compatible with common good practice among well-intentioned security researchers. It does not give you permission to act in any manner that is inconsistent with the law or cause Knight Support to be in breach of any of its legal obligations, including but not limited to:

  • The Computer Misuse Act (1990)
  • The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018
  • The Copyright, Designs and Patents Act (1988)

Knight Support will not seek prosecution of any security researcher who reports, in good faith and in accordance with this policy, any security vulnerability on an in-scope Knight Support service.