Responsible disclosure
At LeasePlan, we consider the security of our systems high priority. However, despite the considerable care we take regarding security, we realise that vulnerabilities can and will remain. If you do find such a vulnerability, we would appreciate to be notified as soon as possible so we may take appropriate measures to swiftly remediate.
Please note that our responsible disclosure policy is not an invitation to actively probe our business network / internet facing services to discover vulnerabilities. These probes do generate attention of our security team and might trigger (costly) security investigations.
What we request from you
- Email your findings to responsible-disclosure@leaseplan.com. Please encrypt your findings using our PGP key to prevent sensitive information from falling into the wrong hands.
- Do not take advantage of the vulnerability or problem you have discovered.
- Do not reveal the problem to others until it has been resolved.
- Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
- Do provide adequate information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, although more information might be necessary for more complex vulnerabilities.
What we promise to do at LeasePlan Digital
- Our Digital Security Team will confirm receipt within two business days.
- We will respond to your report within three business days with our evaluation of the report and an expected resolution date.
- We will always treat your notification confidentially and will never share your personal data with third parties, except when obliged to do so by law or pursuant to a court ruling.
- We will keep you informed of the progress towards resolving the problem.
- We consult you on whether and how the issue is to be made public. We will never do so before the problem has been resolved. If we make the issue public, we will give you credit for identifying it, but only if you wish.
What to report
Please do report:
- Persistent Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Broken Authentication
- XML Injections (XXE)
- Remote Code Execution (RCE)
- SQL Injection (SQLi)
- Vulnerabilities concerning Encryption with working exploit POC
- Authentication Bypass (Unauthorised Sensitive Data Access)
- Cross Tenant Data Leak
- Directory Traversal
- Security misconfiguration having a severe impact. These will be evaluated on case-by-case basis.
Please do * not * report:
Any kind of Brute Force attacks
o Username Dictionary Attack
o OTP or MFA Brute Force as these mostly are serviced by third party
o Forgot Password for Account lockout
Missing Rate Limiting Protection
Related to Cookies:
o Missing “Secure” flag in cookie
o Missing “HTTPOnly” flag in cookie
Social Engineering & Hacking
Self-XSS
Publicly accessible login pages for CMS/Administrative area
Denial of Service (DOS/DDOS) vulnerabilities
Security Headers related, such as but not limited to:
o HTTP Strict Transport Security (HSTS)
o Public Key Pinning (HPKP)
o X-XSS-Protection
o X-Content-Options
o X-Content-Security-Policy (CSP)
o X-Webkit-CSP
HTTP Header Methods:
o HTTP Trace method is enabled
o OPTIONS, PUT, DELETE header methods excepted; (Only with working exploit)
Host Header Injection
Clickjacking and related exploitable attack vectors
Fingerprinting:
o Banner Grabbing
o Version Disclosure of public services
Cross-Site Request Forgery (CSRF) on publicly available forms for anonymous user:
o Contact Form
o Login Form
Autocomplete attribute is disabled
SSL/TLS Vulnerabilities related to configuration without a working Exploit:
o Version Information
o Weak Ciphers
o SSL Forward Secrecy not Enabled
o SSL attacks that are not remotely exploitable
Related to E-mail:
o SPF
o DKIM
o DMARC
Related to DNS and Infrastructure:
o Expired or Inactive domains
o Missing DNSSEC
o Localhost DNS record
Disclosure of known public or non-sensitive files such as robots.txt
Http 404 Error pages
Same Site Scripting
How should you report
Describe the found issue as explicit and detailed as possible and provide any evidence you might have. You can take into account that the notification will be received by security experts such as the LeasePlan Security Team. Furthermore sent the reports in English. We encourage you to send the e-mail in encrypted state. Please use the PGP key located on the bottom of this page.
Include the following in your disclosure e-mail:
- Which (type) vulnerability
- Steps you took for reproducibility
- Full URL and Payload
- Screenshots
Rewards
Please be aware that LeasePlan currently cannot offer rewards for (security) bug reports.
Privacy
For follow-up we will ask your contact details (name, e-mail, PGP-Key and optionally a Phone number) unless you chose to report anonymously.
Your personal information is only used to approach you and undertake actions with regard to your reported vulnerability. We will not distribute your personal information to third parties without your permission. Unless, the law requires us to provide your personal information or when an external organisation takes over the investigation of your reported vulnerability. In this case we will ensure that the applicable authority will treat your personal information confidentially. We will remain responsible for your personal information.