Coördinated Vulnerability Disclosure

You can report vulnerabilities in our services. Examples are:

• Cross-Site Scripting (XSS) vulnerabilities.
• SQL injection vulnerabilities.
• Weaknesses in setup secure connection.
• Weaknesses in (mobile) applications.

This Coordinated Vulnerability Disclosure (CVD) is not intended for reporting complaints. Also, this CVD is not intended for reporting:

• Websites or services not available.
• Not working or incorrectly working features of websites or services.
• Fraud.
• Spam or phishing emails.
• Vulnerabilities without sufficient information.

• Report the vulnerability as soon as possible using the form at the bottom of this page or at [email protected]. We support encrypted emails using PGP. The public key can be downloaded at https://gomonta.com/pgp.txt
• Please provide enough information so that we can reproduce the problem. Usually the IP address or URL of the affected system and a description of the vulnerability is sufficient, but more may be required for more complex vulnerabilities. Also describe the potential impact of the vulnerability.
• Exploit the vulnerability to the extent necessary only to confirm its presence. Make every effort to prevent violation of privacy, impairment of user experience, disruption of production systems, and destruction or manipulation of data.
• Do not exploit the vulnerability by, for example, downloading more data than is necessary to demonstrate the leak, or by viewing, deleting or modifying third-party data.
• Please give us a reasonable time to resolve the vulnerability. Do not share information about the security problem with others until it is resolved.
• Remove all confidential data you have obtained immediately after reporting.

• We will respond to your report within 10 business days with our assessment and an expected date for resolution.
• We will treat your report confidentially and will not share your personal data with third parties without permission, unless required by law.
• We will keep you informed of the progress in resolving the problem.
• We may offer a reward, as a thank you for your help, depending on the severity of the vulnerability and the quality of the report. Please refer to the terms and conditions of the reward program.
• We will try to work with you to ensure that disclosure of vulnerability is done in a consensual manner.

This policy covers Monta’s following systems and applications:

• All public Monta domains (such as Monta.co.uk) and subdomains.
• MontaWMS.
• Monta apps and mobile applications officially published by Monta.

• Systems of customers, partners or suppliers.
• Production environments for which explicit consent has not been given.
• Testing that could lead to disruption of our processes, such as DDoS attacks or brute-force attempts.
• Physical testing (such as building access), social engineering or other non-technical testing.

• Monta determines whether a reward is applicable and what reward is offered. We do this based on vulnerability risk. The final risk is determined by Monta. To qualify, a report must be justified and not previously reported.
  
  A reward may include:
  • An appointment to the Hall of Fame, listed on this page and in our security.txt.
    (Of course, we do this after approval from the reporter.)
  • A coffee mug
  • A T-shirt
  • Gift certificates up to a maximum amount of 250 euros
    
• Rewards will not be offered if the rules of this policy are not followed.
• If the report is not a vulnerability or is low risk, no reward is offered. See the rewards program exceptions with examples of vulnerabilities for which no reward is given.
• For multiple reports about a specific vulnerability, the reward is awarded to the first person to report that vulnerability. Monta determines whether there are duplicate reports and does not share substantive information about them.
• An awarded award leaves only to one person.
• Past rewards granted do not guarantee rewards offered in the future.
• Anonymous reports are excluded from participation in the rewards program.

Monta may, if the vulnerability is low or accepted risk, decide not to reward a report. Below are some examples of such vulnerabilities. This list is not exhaustive.

• HTTP 404 codes or other non HTTP 200 codes
• Adding plain text in 404 pages
• Version banners on public services
• Publicly accessible files and folders containing non-sensitive information
• Clickjacking on pages without a login feature
• Cross-site request forgery (CSRF) on forms accessed anonymously
• Lack of ‘secure’ / ‘HTTP Only’ flags on non-sensitive cookies
• Using the HTTP OPTIONS Method and TRACE Method.
• Host Header Injection
• Lack of SPF, DKIM and DMARC records
• Lack of DNSSEC
• Missing or incorrectly applied HTTP Security Headers, such as:
  • Strict-Transport-Security (HSTS).
  • HTTP Public Key Pinning (HPKP).
  • Content-Security-Policy (CSP).
  • X-Content-Type-Options
  • X-Frame-Options
  • X-XSS Protection

Questions about this policy should be sent to [email protected]. We also invite you to contact us if you have suggestions to improve this policy.