Responsible disclosure

At LeasePlan, we consider the security of our systems high priority. However, despite the considerable care we take regarding security, we realise that vulnerabilities can and will remain. If you do find such a vulnerability, we would appreciate to be notified as soon as possible so we may take appropriate measures to swiftly remediate.

Please note that our responsible disclosure policy is not an invitation to actively probe our business network / internet facing services to discover vulnerabilities. These probes do generate attention of our security team and might trigger (costly) security investigations.

 

What we request from you

  • Email your findings to responsible-disclosure@leaseplan.com. Please encrypt your findings using our PGP key to prevent sensitive information from falling into the wrong hands.
  • Do not take advantage of the vulnerability or problem you have discovered.
  • Do not reveal the problem to others until it has been resolved.
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
  • Do provide adequate information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, although more information might be necessary for more complex vulnerabilities.
 

What we promise to do at LeasePlan Digital

  • Our Digital Security Team will confirm receipt within two business days.
  • We will respond to your report within three business days with our evaluation of the report and an expected resolution date.
  • We will always treat your notification confidentially and will never share your personal data with third parties, except when obliged to do so by law or pursuant to a court ruling.
  • We will keep you informed of the progress towards resolving the problem.
  • We consult you on whether and how the issue is to be made public. We will never do so before the problem has been resolved. If we make the issue public, we will give you credit for identifying it, but only if you wish.
  • As a token of our gratitude for your assistance, we offer a reward for every report of a security problem that was not yet known to us. The amount of the reward will be determined based on the severity of the vulnerability and the quality of the report.

What to report

Please do report:

  • Persistent Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Broken Authentication
  • XML Injections (XXE)
  • Remote Code Execution (RCE)
  • SQL Injection (SQLi)
  • Vulnerabilities concerning Encryption with working exploit POC
  • Authentication Bypass (Unauthorised Sensitive Data Access)
  • Cross Tenant Data Leak
  • Directory Traversal
  • Security misconfiguration having a severe impact. These will be evaluated on case-by-case basis.

Please do * not * report:

  • Any kind of Brute Force attacks
    o Username Dictionary Attack
    o OTP or MFA Brute Force as these mostly are serviced by third party
    o Forgot Password for Account lockout
  • Missing Rate Limiting Protection
  • Related to Cookies:
    o Missing “Secure” flag in cookie
    o Missing “HTTPOnly” flag in cookie
  • Social Engineering & Hacking
  • Self-XSS
  • Publicly accessible login pages for CMS/Administrative area
  • Denial of Service (DOS/DDOS) vulnerabilities
  • Security Headers related, such as but not limited to:
    o HTTP Strict Transport Security (HSTS)
    o Public Key Pinning (HPKP)
    o X-XSS-Protection
    o X-Content-Options
    o X-Content-Security-Policy (CSP)
    o X-Webkit-CSP
  • HTTP Header Methods:
    o HTTP Trace method is enabled
    o OPTIONS, PUT, DELETE header methods excepted; (Only with working exploit)
  • Host Header Injection
  • Clickjacking and related exploitable attack vectors
  • Fingerprinting:
    o Banner Grabbing
    o Version Disclosure of public services
  • Cross-Site Request Forgery (CSRF) on publicly available forms for anonymous user:
    o Contact Form
    o Login Form
  • Autocomplete attribute is disabled
  • SSL/TLS Vulnerabilities related to configuration without a working Exploit:
    o Version Information
    o Weak Ciphers
    o SSL Forward Secrecy not Enabled
    o SSL attacks that are not remotely exploitable
  • Related to E-mail:
    o SPF
    o DKIM
    o DMARC
  • Related to DNS and Infrastructure:
    o Expired or Inactive domains
    o Missing DNSSEC
    o Localhost DNS record
  • Disclosure of known public or non-sensitive files such as robots.txt
  • Http 404 Error pages
  • Same Site Scripting

How should you report

Describe the found issue as explicit and detailed as possible and provide any evidence you might have. You can take into account that the notification will be received by security experts such as the LeasePlan Security Team. Furthermore sent the reports in English. We encourage you to send the e-mail in encrypted state. Please use the PGP key located on the bottom of this page.

Include the following in your disclosure e-mail:

  • Which (type) vulnerability
  • Steps you took for reproducibility
  • Full URL and Payload
  • Screenshots

Rewards

LeasePlan highly appreciates your effort by assisting us in optimising our systems and processes. Therefore in most circumstances you are eligible for a suitable award. We reserve the ultimate decision over a monetary award, whether to give one and in what amount, is a decision that lies entirely within our discretion.

We will not reward when:

  • The issue was already reported. In that case, only the first reporter will be rewarded.
  • You are living in a country that's on a sanction list.
  • The issue is already known.
  • The rules are not respected.

Privacy

For follow-up we will ask your contact details (name, e-mail, PGP-Key and optionally a Phone number) unless you chose to report anonymously.

Your personal information is only used to approach you and undertake actions with regard to your reported vulnerability. We will not distribute your personal information to third parties without your permission. Unless, the law requires us to provide your personal information or when an external organisation takes over the investigation of your reported vulnerability. In this case we will ensure that the applicable authority will treat your personal information confidentially. We will remain responsible for your personal information.

Email your findings

Please encrypt your findings using our PGP key to prevent sensitive information from falling into the wrong hands.

Email us