Updated: July 9th, 2021
At Keap, we take the protection of our customers’ data very seriously.
Keap acknowledges the valuable role user feedback provides in developing our services and security posture, and we encourage responsible reporting of any vulnerabilities that may be found in our site or applications.
We ask that you do not share or publicize an unresolved vulnerability with third parties. If you responsibly submit a vulnerability report, we will use reasonable efforts to respond in a timely manner, acknowledging receipt of your vulnerability report, and investigate the reported vulnerability. We may send an automated response as acknowledgement and if you provided us with contact information, we may contact you if additional information is needed to assist with the investigation. For the security of our customers, we generally will not disclose, discuss, or confirm security issues.
Reporting a potential security vulnerability:
- Privately share details of the suspected vulnerability with Keap by sending an email to [email protected]
- Provide full details of the suspected vulnerability so we may validate and reproduce the issue, including:
- A detailed description of the vulnerability
- The full URL
- A Proof of Concept (POC) or instructions (e.g. screen shots, video, etc.) on how to reproduce the vulnerability or steps taken
- Entry fields, filters, or other objects involved
- Risk or exportability assessment
- Instructions for how to reach you with follow up questions
Offering a solution is encouraged but not required. Lack of detailed vulnerability explanation may result in delays in our response and subsequent potential actions on the finding.
Keap does not permit the following types of security research:
While we encourage you to discover and report to us any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:
- Active vulnerability scanning or testing and performing actions that may negatively affect Keap or its users (such as spam, brute force, denial of service, and similar actions)
- Hack, penetrate, or otherwise attempt to gain unauthorized access to Keap software or systems
- Accessing, or attempting to access, data or information that does not belong to you
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
- Conducting any kind of physical or electronic attack on Keap personnel, property or data centers
- Social engineering any Keap service desk, employee or contractor
- Conducting vulnerability testing of participating services using anything other than test accounts
- Violating any laws or breaching any agreements in order to discover vulnerabilities