Vulnerability Disclosure Program.
In Kontent.ai, security has always been of great importance. Kontent.ai is committed to working with security researchers to help identify and fix vulnerabilities in our systems and services. If you believe you’ve found a security issue in our system or service, we encourage you to notify us. We will work with you to resolve the issue promptly.
When performing security testing, please adhere to the following guidelines:
- Notify us as soon as possible after you discover a real or potential security issue.
- Test vulnerabilities only on accounts you own or on accounts you have permission to test from the account holder.
- If you inadvertently access other users’ data in your testing, please let us know, and do not store any such user data.
- Do not use a finding to compromise/exfiltrate/modify/destroy data or to pivot to other systems. Use a proof of concept only to demonstrate an issue.
- Do not engage in any activity that would be disruptive, damaging, or harmful to Kontent.ai, its brands, or its users. This includes social engineering, unsolicited messages, phishing, physical security, and any type of denial-of-service attacks, especially using automated tools.
- Do not test third-party websites, applications, or services that integrate with
- Kontent.ai services without their permission.
- Any illegal activity is prohibited.
- Do not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized Kontent.ai employees) or otherwise share vulnerabilities with a third party without the express written permission of Kontent.ai.
- Do not contact Kontent.ai Support by any means in relation to this program (pre-validating reports, testing them, asking for updates, etc.).
Qualifying issues
We’re particularly interested in the following types of vulnerabilities and impacts:
- Remote code execution
- XSS resulting in access to sensitive data (e.g., session info)
- Insecure direct object reference resulting in access to sensitive data or functionality
- Business logic flaws that result in access to sensitive data or functionality
We are not interested in the following types of issues:
- Attacks requiring physical access to a users device
- Phishing techniques
- Disclosure of known public files or directories (e.g., robots.txt)
- Missing DNS records (e.g., SSL CAA, DMARC, and SPF)
- Banner disclosure on common/public services
- HTTP/TLS configuration issues without demonstrable impact
- Lack of Secure/HTTPOnly flags on non-sensitive cookies
- CSP, Security header configuration suggestions
- Presence of application or web browser 'autocomplete' or 'save password' functionality
- CSRF on forms that are available to anonymous users
- Username enumeration on login or forgot password pages
- Rate limit bypasses where throttling is not in place
Scope
This policy applies to the following systems and services:
- Kontent.ai client → https://app.kontent.ai
- Management API v2 → https://manage.kontent.ai/v2
- Deliver API → https://deliver.kontent.ai
- Delivery GraphQL API → https://graphql.kontent.ai
- Presentation website → https://kontent.ai/
In addition to the above, any systems or services not expressly listed above are excluded from the scope and are not authorized for testing.
Issues reporting
Please contact us at security@kontent.ai. For secure communication, use our PGP key. If you find multiple issues, please report them separately. We will keep you up to date on the progress towards remediation of issues we accept from you, and we ask you not to disclose the issue publicly without Kontent.ai’s prior written permission.
Legal Terms
In connection with your participation in this program, you agree to comply with the Terms of Service and all applicable laws and regulations, including any laws or regulations governing privacy or the lawful processing of data. Kontent.ai reserves the right to change or modify the terms of this program at any time.
Safe harbor
Kontent.ai will not initiate a lawsuit or law enforcement investigation against you in response to reporting a vulnerability if you fully comply with this policy.
Rewards
Currently, we do not guarantee monetary rewards (“bounties”) for findings, but we may decide to recognize your efforts in the Acknowledgements below.
Acknowledgments
We would like to thank all researchers that help us improve the security of Kontent.ai’s products and websites.
Name / Company
Questions
If you have any concerns or are uncertain whether the security research is consistent with this policy, please contact security@kontent.ai before going any further.