Responsible Disclosure

At Katana, we greatly value the support of IT security researchers and cybersecurity community members in helping us maintain high IT security standards.

If you identify a security vulnerability relating to our product, please notify us before disclosing the vulnerability to the outside world so we can take the necessary measures. This is known as responsible disclosure.

Scope

  • Katana’s core platform. (factory.katanamrp.com)

How do I submit a report?

If you have identified a security vulnerability, please notify us as soon as possible via email to 

What happens after I submit my report?

  • You will receive an email within two business days confirming that we have received your submission.
  • Our engineers will review the submission, including reproducing the vulnerability. The review time may vary depending on the complexity and completeness of the report. However, we aim to assess reports within 2 weeks.
  • We will inform you regarding our assessment in line with an expected remediation timeline.
  • We will inform you in case your submission is eligible for a reward.

What should I include in the report?

The main factors that influence the time it takes to address a vulnerability are how long it takes to assess its root cause, severity, and impact. Better quality reports will be treated with higher priority and processed faster. However, we still want to learn about vulnerabilities even if the reports are not of the highest quality.

To help us address reports in the best possible way, please include the following information in your report:

  • The type of vulnerability.
  • The service/device/application impacted by the vulnerability.
  • The output from a successful reproduction of the vulnerability. This could consist of debugger output, a screenshot, a video, or any other format that demonstrates a reproduction of the issue.
  • Proof-of-concept code depending on the nature of the vulnerability.
  • A detailed description. This analysis should correctly describe how each part of the proof-of-concept affects the target in terms of triggering the vulnerability. In addition, the analysis should include information about how timing, environment, or other constraints affect successfully triggering the vulnerability.
  • Description of the root cause of the vulnerability and any potential remediation to the highest degree possible.
  • Any plans or intentions for public disclosure.

Guidelines

  • Please act responsibly in dealing with your discovery of the identified security vulnerability.
  • Do your best to avoid research that violates customer privacy policy, destroys data, or interrupts our service.
  • Do not take any actions beyond what is needed to identify and verify the issue.
  • Please keep confidential all information relating to the discovered vulnerability from third parties for at least 90 days. This allows us to identify and implement measures to address your reported issue.
  • Please do not use the identified security vulnerability to your advantage and avoid storing any confidential data obtained due to the issue.
  • The output of well-known automated tools/solutions is not sufficient.
  • Brute force, DOS, phishing, social engineering, and physical security attacks will not be rewarded.

Reward Guidelines

1. We do NOT reward every report. We evaluate each case based on multiple factors e.g. type of vulnerability, severity, potential impact to customers, potential impact to us, exploitability, difficulty etc. Together with all these, we decide if the reward will be given and the amount of the reward.

2. Usually low severity reports will not be rewarded, however there might be exceptions to this depending on the vulnerability.

3. Brute force, DOS, phishing, social engineering, and physical security attacks will not be rewarded.

4. CSV injection, clickjacking type of vulnerabilities are not rewarded.

5. Credential dumps from various public resources will not be rewarded, unless you can prove that the source of dump was a vulnerability of our application.