This guide is targeted to security researchers and outlines how potential security issues are reported. Are you a customer at Kundo with questions or concerns regarding security: please contact us directly at security@kundo.se.

Terms and guidelines

• We will respond to vulnerability disclosures quickly to resolve the issue as soon as possible (initial contact within at least 3 business days of the submission)

• You are not allowed to run a vulnerability scanner or do a system load test on our systems without our approval

• We kindly ask not to reveal problems to others before initiating a dialogue with us

• This document is to be considered a live document and is regularly updated by Kundo

• Reports that do not match the guidelines outlined in this document will not be responded to

• Vulnerability testing should only be performed on domains or subdomains to kundo.se, kundo.no, kundo.fi, and kundo.dk
  
  

Out-of-scope vulnerability types

We kindly ask to not contact us regarding findings that are listed here:

• Reports from automated tools or scans that haven't been manually validated

• DMARC, DKIM, or SPF

• Iframe policies and clickjacking

• CSRF without clear security impact
  
  

Reporting of findings

Use the form at the bottom of this page or send an email security@kundo.se to report your findings. We kindly ask that all finding reports include at least:

• Classification of vulnerability

• Description of exploitation

• A well written proof of concept

• Motivation of severity

Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope.