Vulnerability Submission Form

Found something suspicious?

Let Kevel know about any vulnerabilities you may have found. We greatly appreciate your expertise and insights.

Vulnerability Disclosure Policy

Introduction

We are committed to ensuring the security of our systems, data, and privacy at Kevel. We value the input and assistance of security researchers and the broader community in identifying and addressing potential security vulnerabilities in our products, services, and systems. This Vulnerability Disclosure Policy (VDP) outlines how individuals can report security vulnerabilities to us, our commitment to addressing such reports promptly, and the protection of responsible disclosure.

Scope

This policy applies to the Kevel Application and APIs that Kevel operates (hereafter referred to as "our services"). 
Services in scope include:

  • Kevel Decision API (*.adzerk.net)
  • Kevel Management API (api.kevel.co, api.kevel.com)
  • Kevel Management Web App (app.kevel.co, app.kevel.com)

Out of Scope

All additional online services Kevel operates are not identified as in scope.
Examples:
*.adzerk.com
*kevel.com
*kevel.co

  • DMARC Exclusions: We have established DMARC policies for our primary domain, kevel.co, to safeguard our email communications. Any subdomains or third-party services that fall outside the scope of our primary domain's DMARC policy should implement their own DMARC policies. We encourage responsible email authentication practices for all our domains and services.
  • DKIM and SPF Exclusions: DKIM and SPF records are configured for individual domains and subdomains.

Exclusions

  • Denial of service
  • Brute-force attacks
  • Spamming
  • Social engineering (including phishing) of Kevel employees.
  • Performing actions such as accessing, collecting, documenting, downloading, archiving, erasing, or modifying confidential or proprietary information, including user and personal data.

Responsible Disclosure

We encourage the responsible disclosure of security vulnerabilities that may impact the security or privacy of our services. If you believe you have discovered a potential security vulnerability, we ask that you:

  • Report the Vulnerability: Please report the vulnerability to us using our Vulnerability Submission Form (https://www.kevel.com/vulnerability). When reporting, please include a detailed description of the vulnerability, including steps to reproduce it, potential impact, and any supporting evidence (such as screenshots, logs, or code snippets).
  • Provide Contact Information: Include your contact information so we can acknowledge your report, seek further clarification if necessary, and inform you of our progress in resolving the issue.
  • Do not exploit or further disclose the vulnerability beyond what is necessary to demonstrate the issue to us. This means that you should not access or modify any data without explicit permission, and you should not share the vulnerability information with anyone else.
  • Respect our users' privacy and comply with all applicable laws and regulations. This means that you should not access or collect any personal data, and you should not engage in any illegal activities.

Our Commitment

  • Acknowledgment: We will acknowledge receipt of your report within 30 business days.
  • Investigation: Our security team will investigate the reported vulnerability promptly. We will keep you informed of the progress and expected timeframes for resolution.
  • Resolution: We will work diligently to resolve the vulnerability and take appropriate steps to address the issue. We will prioritize the disclosure process based on the severity and potential impact of the vulnerability.

Responsible Reporting Guidelines

When reporting security vulnerabilities, we request that you:

  • Do not exploit or further disclose the vulnerability beyond what is necessary to demonstrate the issue to us.
  • Do not access, modify, or delete data or systems without explicit permission.
  • Respect our users' privacy and comply with all applicable laws and regulations.

Vulnerability Classification and Prioritization

Kevel classifies vulnerabilities based on their severity and potential impact. The severity of a vulnerability is determined by the following factors:

  • The likelihood of the vulnerability being exploited.
  • The potential impact of the vulnerability if exploited.

The potential impact of a vulnerability is determined by the following factors:

  • The number of users or systems that are potentially affected by the vulnerability.
  • The sensitivity of the data that is potentially affected by the vulnerability.

Kevel uses the following severity levels:

  • Critical: This is the most severe level of vulnerability. Critical vulnerabilities can cause significant damage or loss to Kevel or its users.
  • High: This is a serious vulnerability that can cause damage or loss to Kevel or its users.
  • Medium: This is a moderate vulnerability that can cause inconvenience or disruption to Kevel or its users.
  • Low: This is a minor vulnerability that is unlikely to cause any damage or loss to Kevel or its users.

Kevel will prioritize the disclosure of vulnerabilities based on their severity. Critical vulnerabilities will be disclosed as soon as possible, followed by high, medium, and low vulnerabilities.

Communication and Transparency

Kevel will communicate with security researchers about the status of their reports. We will keep you informed of the progress of our investigation and the expected resolution timeframe. Once a vulnerability has been fixed, we will publicly disclose it.

Legal Protections

Kevel will not pursue legal action against security researchers who follow this policy in good faith, and responsibly.

Contact Information

To report a security vulnerability or inquire about this policy, please get in touch with us at:

  • Email: security@kevel.co