Vulnerability Disclosure Policy

Last Modified on 01/16/2025 12:38 pm EST

Date of Last Policy Change: January 16th, 2025

At KnowledgeOwl, we take the security and integrity of our customer’s data seriously. As such, we welcome input from security researchers to ensure that, should any vulnerabilities in KnowledgeOwl arise, that they can be addressed quickly and effectively. However, to ensure that our customers are not impacted during any vulnerability discovery activities, please follow the terms below before testing for any vulnerabilities.

KnowledgeOwl pledges to not initiate any legal action against researchers that follow the terms below. 

We do not offer any monetary rewards (e.g. bounties) for vulnerabilities reported to us.

Scope

Please restrict any testing to the following sites:

  • app.knowledgeowl.com 
  • support.knowledgeowl.com
  • www.knowledgeowl.com

Testing KnowledgeOwl customer sites is not allowed.

Creating 1 (one) trial account per researcher is allowed. Should a researcher require a second account, or should the trial period expire before testing is complete, please contact us.

Restrictions

Generally, please do not perform any activities that will negatively impact users or normal functionality of KnowledgeOwl. Additionally, the following actions are specifically restricted: 

  • Modification of data owned by other users 
  • Deletion or corruption of data owned by other users
  • Denial of service attacks
  • Social engineering attacks including phishing
  • Email bombing or similar high-volume attacks
  • Mass submissions to or scanning of our contact us or support forms
  • Creating large amounts of trial accounts

Please do not violate any laws or agreements in order to locate vulnerabilities.

Reporting a Vulnerability

Please report any details of the discovered vulnerability to the following email address: security@knowledgeowl.com

The more details that the researcher is able to provide, the faster we will be able to respond to any vulnerabilities.

Vulnerability Acceptance and Remediation

KnowledgeOwl will make an effort to address every vulnerability report that is submitted to us. Following submission, we will attempt to reproduce the finding to ensure that it is valid and impactful and not a duplicate or previously accepted risk. Should the vulnerability be valid and require remediation, KnowledgeOwl will internally discuss what actions need to be taken and how the vulnerability will be remediated. We will endeavor to keep in contact with the security researcher during this process and provide updates on projected remediation timeline and will inform the researcher of vulnerability remediation. If the researcher wishes to disclose the discovered vulnerability publicly, we ask that they talk to us first, before disclosing the issue publicly.

We do not offer monetary bounties for accepted vulnerabilities. Researchers that report vulnerabilities to us may be eligible for addition to our hall of fame.

KnowledgeOwl is not accepting the following types of reports:

Reports of the following types are currently not eligible for KnowledgeOwl's Vulnerability Disclosure Program and will not be accepted.

  • Email Spoofing (including DMARC and SPF records)
  • Missing Security Headers (such as the HSTS header), unless the lack of such a header directly leads to a vulnerability
  • Sessions not expiring on security events, such as password changes
  • Password reset tokens not being invalidated by email changes
  • Clickjacking
  • Vulnerabilities that require odd or unlikely user interaction
  • Self-XSS
  • XSS in the contents of files uploaded to the file library, unless it can be exploited directly in the UI
    • For example, a report about an HTML file uploaded to the file library, that requires the user to open the file directly using the file's Cloudfront link would not be accepted
  • XSS reports for knowledge base frontends or frontend previews (e.g. iframes like those in the style settings). Only XSS reports for app.knowledgeowl.com are accepted.
    • For example, XSS in the descriptions of categories or articles that executes only when viewing the knowledge base frontend or its previews (e.g. {knowledgebase}.knowledgeowl.com) are not accepted.
  • Logout or Login Cross-Site Request Forgery
  • Resource Flooding
  • Missing Rate Limiting
  • Weak Password Policy
  • EXIF Data Not Stripped on Images
  • Browser History Management
  • Host header injection, unless an exploit is demonstrated (such as cache-poisoning or XSS)
  • Missing Email Verification
  • User Account Enumeration
  • Missing Certificate Authority Authorization Record
  • Cross Domain Script Include
  • Open CVEs in third-party JavaScript libraries, unless an exploit is demonstrated
  • Missing DNSSEC Records

Questions

If you have any questions about our vulnerability disclosure policies or process, please feel free to email us at security@knowledgeowl.com

Thank You!

KnowledgeOwl would like to thank the following security researchers for their contributions of vulnerability reports and ensuring that KnowledgeOwl can continue to protect the data of its users.


Name

Links

Volodymyr "Bob" Diachenko

https://www.linkedin.com/in/vdyachenko
https://twitter.com/MayhemDayOne
Rohit Soni https://www.linkedin.com/in/rohit-soni-r007/
Ritik Sahni https://twitter.com/RitikSahni22
Abdelali Khalfi https://twitter.com/abdela1i
Nayanjyoti Roy https://www.facebook.com/nrh4ck3r
Jayson Vasquez Rubio https://facebook.com/100008995930508
Jeffrey Hoekema https://linkedin.com/in/jeffrey-hoekema
Romel Lanza https://www.facebook.com/romhel.lanza
Pethuraj M https://www.pethuraj.in | https://www.pethuraj.com
Priyanka Narayan https://www.linkedin.com/in/priyanka-narayan-4bb6a416b
Soundar M https://www.linkedin.com/in/soundar-m-4647b3149/
Yash Agarwal https://www.linkedin.com/in/yash-agarwal-17464715b/
Anon Tuttu Venus https://in.linkedin.com/in/anonvenus
Badal Sardhara https://www.linkedin.com/in/badal-sardhara-9b43a41a5
Mahendra Purbia Rajasthani Hacker https://www.linkedin.com/in/mahendra-purbia-185b44186
Nikhil Ahire https://www.linkedin.com/in/nikhil-ahire-b28b4b158
Yogeshwaran Chandrasekaran https://www.linkedin.com/in/yogeshwaran-chandrasekaran-23283518a
Farah Hawa https://linkedin.com/in/farah-hawa-a012b8162
Akshay Parse https://www.linkedin.com/in/akshay-parse-0b1176199
Pritam Mukherjee https://www.linkedin.com/in/pritam-mukherjee-urvil-b75ab9b9/
Robert Aaron https://linkedin.com/in/robert-aaron-14735b188
Mohamed Saqib C https://www.linkedin.com/in/mohamed-saqib/
Aamir Usman Khan https://www.linkedin.com/in/aamir-u-khan/
Jerry Thomas https://www.linkedin.com/in/jerry-thomas-4a1a69169/
Midhun S https://www.linkedin.com/in/midhun-s-8a5939150
Akhil Sabu https://www.linkedin.com/in/akhil-sabu-a2136497
Gawasharks https://twitter.com/gawasharks
Nirjhar Banik https://www.linkedin.com/in/neerjhar
Agrah Jain https://www.linkedin.com/in/agrahjain
Akshay Gaikwad https://www.linkedin.com/in/akshay-gaikwad-272878165
Kartik Adak https://www.linkedin.com/in/kartik-adak-81a25918a/
Souvik Roy https://www.linkedin.com/in/souvikroyofficial
Lokesh Goyal https://www.linkedin.com/in/lokesh-goyal-79a147157
Bindiya Sardhara https://www.linkedin.com/in/bindiya-sardhara-24b1a2b4/
Midhun Mohanan https://www.linkedin.com/in/midhun-mohanan-629173184/
Harsh Vijaykumar Parasiya https://www.linkedin.com/in/harsh-parsiya-23109b123
https://www.facebook.com/harsh.parasiya
d3vpoo1 https://gitlab.com/jrckmcsb
Chirag Ketan Prajapati https://www.linkedin.com/in/chirag-prajapati-1bb788191
Gourab Sadhukhan https://www.linkedin.com/in/gourab-sadhukhan-71158216a
Nitesh Pandey https://www.linkedin.com/in/osintnitesh
Karan Keswani https://www.linkedin.com/in/karankeswani1203/
Purbasha Ghosh https://www.linkedin.com/in/purbasha-ghosh-18b3711a1/
MAHIN VM https://in.linkedin.com/in/mahin-vm-57413315a
Nishant Narendra Lungare https://www.linkedin.com/in/nishant-lungare-28b841157
Vikash Kumar https://www.linkedin.com/in/vikash-kumar-7b938a176
https://twitter.com/vksutk
Shubham Kumar https://www.linkedin.com/in/shubham-kumar-948722189/
Abhijit P. Mali https://twitter.com/Abhijitmali183
JIMMI SIMON https://www.linkedin.com/in/jimmisimon/ | http://jimmisimon.in/
Praful Apuri https://www.instagram.com/itz_praffy/ | https://twitter.com/itzpraffy
Shubhdeep https://www.linkedin.com/in/shubhdeep404
Dhanumaalaian R https://www.linkedin.com/in/dhanumaalaian-r-b34338189/ | https://twitter.com/dhanumaalaian
Akash.H.C https://www.linkedin.com/in/akash-h-c-4a4090a7/
Tejavardhan Vishwakarma https://www.linkedin.com/in/tejavardhan-vishwakarma-32791273
Akash Patil https://twitter.com/skypatil98
Vani K G https://www.linkedin.com/in/vani-k-g-016780197
Ramesh Kumar Sekar https://www.linkedin.com/in/ramesh-kumar-sekar-80964b146/
Anshuman Prajapati https://www.linkedin.com/in/anshuman-prajapati-b03404195/
Pratik Khalane https://www.linkedin.com/in/pratik-khalane/
Chetan Pathade https://www.linkedin.com/in/chetan-pathade/
Souvik Mondal https://www.linkedin.com/in/souvik-mondal-8b3a0a1b3/
Eeshwar Dronavalli https://www.linkedin.com/in/eeshwar-dronavalli-5a16ba16a/
Sanidhya Ved https://www.linkedin.com/in/sanidhya-ved-0734501a2
Kinshuk Kumar https://www.linkedin.com/in/kinshuk-kumar-4833551a1/
Amit Kumar https://www.linkedin.com/in/amit-kumar-9853731a4
Ali Hassan Ghori https://www.linkedin.com/in/alihassanghori/
Mohammed Wasim Khan https://www.linkedin.com/in/wasimkhan844
Saranya N https://www.linkedin.com/in/saranya-n-106217197/
Maulik Vaidh https://twitter.com/maulik1827
Jha kalpeshkumar D. https://in.linkedin.com/in/kalpeshkumar-jha-b28b7851
https://twitter.com/jha_kalpesh
Rajvee Chauhan https://www.linkedin.com/in/rajvichauhan
Poonam Panchal https://www.linkedin.com/in/poonam-panchal-8983b6182
Niraj Mahajan https://www.linkedin.com/in/niraj1mahajan/
Shoeb Raseed Shaikh https://www.linkedin.com/in/ishoebshaikh
Durgesh Patil https://www.linkedin.com/in/durgeshpatil1999
Alok Verma https://www.linkedin.com/in/alok-verma-098081114 
https://www.uedeveloper.com/
Keyur Mehta https://www.linkedin.com/in/keyur-mehta4455
Ashutosh Raval https://www.linkedin.com/in/0one-ashutosh-%E2%98%80%EF%B8%8F-b58b89137 
Kartik Khurana https://www.linkedin.com/in/kartik-khurana-878739175
Dhruvin Shah https://www.linkedin.com/in/dhrruvin/
Patel Riya https://www.linkedin.com/in/riya--patel
Dharmishtha Mandhalkar https://www.linkedin.com/in/dharmishtha-mandhalkar-24057820a
Vishal Vishwakarma https://www.instagram.com/rootxvishal/
Sachin Kalkumbe https://www.linkedin.com/in/sachin-kalkumbe-462824201
Saransh Saraf (MR23R0) https://www.linkedin.com/in/saransh-saraf-2b514b20b/
EZOUINE ACHRAF
Bikash Kumar Prasad https://www.linkedin.com/in/bikash-prasad-b2b0b41a5/ 
Hydrogen https://twitter.com/bikz21 
Pavan Saxena https://www.linkedin.com/in/pavan-saxena2506
Younghun Lee
이영훈		 https://www.linkedin.com/in/younghun-lee-2407b1113/
Sidhu Mossewala https://www.linkedin.com/in/ritik-jangra-03b80a21b
Yash Kushwah (@cyberyash951) https://www.linkedin.com/mwlite/in/yash-kushwah-a80449229
Milan Jain (Scriptkiddie) https://www.linkedin.com/in/milan-jain-scriptkiddie-50a738213 
Yogesh Bhandage https://in.linkedin.com/in/yogesh-bhandage
Heidar Zeinalli https://www.linkedin.com/in/heidar-zeinalli-421313275
K.Rajesh Sagar https://www.linkedin.com/in/rajesh-sagar-95619524b
Abhinav Bansal https://www.linkedin.com/in/abhinav-bansal-027307202
Satyam Jadhav
www.linkedin.com/in/satyam-jadhav-19a900242
Nitin Yadav(Raosahab)
https://www.linkedin.com/in/nitin-yadav-11b523223
Fardin Shahriwar
https://www.linkedin.com/in/fardinian/


Related Articles

Was this article helpful?
Thank you for your feedback!
User Icon

Thanks! Your comment will appear when it's approved :)

Copyright © 2015 – Silly Moose, LLC. All rights reserved.
Powered by KnowledgeOwl knowledge base software.