About Clonable

Clonable - your cloning & localization tool for website & webshops.

E-mail
info[@]clonable.net
Phone number
+31 492 77 52 69
Address

Business Center Gemert
Scheiweg 26
5421 XL Gemert

apps

Security

Responsible disclosure guidelines

English version: https://www.clonable.net/.well-known/responsible-disclosure.txt

At Clonable we consider the security of our systems very important. Despite our care for the security of our systems, it can happen that there is a weak spot.

If you have found a weakness in one of our systems we would like to hear about it so that we can take measures as quickly as possible. We would like to work with you to better protect our customers and our systems.

We ask you:

  • Email your findings to security@clonable.net,
  • Do not report missing best practices (such as no hsts, missing security headers) unless they pose a real, demonstrable and significant risk,
  • Not to exploit the problem by, for example, downloading more data than is necessary to demonstrate the leak or by accessing, deleting or modifying data of third parties
  • Do not share the problem with others until it is fixed and delete all confidential data obtained through the leak immediately after the leak is fixed,
  • Not use physical security attacks, social engineering, distributed denial of service, spam, or third-party applications; and
  • Provide sufficient information to reproduce the problem so that we can resolve it as soon as possible. Usually, the IP address or URL of the affected system and a description of the vulnerability is sufficient, but for more complex vulnerabilities, more may be required.

What we promise:

  • We will respond to your report within 5 business days with our assessment of the report and an expected date for resolution,
  • If you have complied with the above conditions, we will not take any legal action against you regarding the report,
  • We will treat your report confidentially and will not share your personal information with third parties without your permission unless this is necessary to comply with a legal obligation. It is possible to report under a pseudonym,
  • We will keep you informed of the progress in solving the problem,
  • In reporting the reported problem, we will, if you wish, include your name as the discoverer; and
  • As a thank you for your help, we offer to add your name to our "hall of fame" for every report of a security problem not yet known to us. Depending on the size of the problem and the quality of the report, your name may contain a link of your choice.

Hall of Fame

2020

Akshay Parse

Discovered that HTTP headers that prevent clickjacking were missing while troubleshooting a previously reported issue.

Akshay Parse

Discovered that cache headers were not set properly allowing an attacker with physical access to the victim's computer to potentially obtain information.

Akshay Parse

Discovered that existing sessions would not be closed when a user changed his or her password. This rendered a user powerless in case of account takeover.