Vulnerability Disclosure Program Policy

Last Edit:
October 11, 2022
Table of Contents

Kajabi's quest to provide a safe and secure experience for all users welcomes the contributions of security researchers and strives to provide the best vulnerability disclosure experience possible.  Keeping our users’ data safe, as well as remaining a securely available service at all times, is at the forefront of our business, our processes, and our teams’ goals. Kajabi takes a responsible disclosure stance for vulnerabilities submitted to us directly. Please read this policy in its entirety prior to any testing or disclosures. Your potential to receive a reward depends on your compliance with this policy.

Process for Disclosure

We encourage disclosure of any security vulnerabilities that have the potential to impact the security or privacy of Kajabi and our users. Your submission will be reviewed, validated, and reviewed against our internal severity matrix by the Information Security Team. 

Go to Security.txt for instructions on where to disclose your report.

Please submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact and include the following details in your report:

  • The website, IP or page where the vulnerability can be observed.
  • A brief description of the type of vulnerability, for example; "XSS vulnerability".
  • Steps to reproduce should be concise and easily understood. 
  • These should be a benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities.
  • Including a proof-of-concept either via video or screen shots will expedite our investigation.

If you responsibly submit a vulnerability report, the Kajabi Information Security Team and associated development organizations will use reasonable efforts to:

  • Respond in a timely manner, acknowledging receipt of your vulnerability report
  • If you do not get an email please check spam and the email address and send it again
  • We reserve the right to ask, via email, for more details or updates to your report to make a determination. 
  • Notify you when the vulnerability has been fixed

Coordinated Disclosure Terms

For the protection of our customers, Kajabi generally does not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are available. You must have written permission in the form of a letter stating that you may disclose to any third party or other person. 

If the vulnerability is novel or impactful, we will publicly share details around the vulnerability at our discretion and coordinate with the author for the public disclosure. We reserve the right to allow for Kajabi approved public disclosures. 

Guidance For Your Research

Please understand that third party services not owned by Kajabi (such as apps integrated as part of the Kajabi platform) are not eligible. While we strive for secure integrations, we cannot ensure that our policies apply to the services of other companies.

You must not:

  • Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
  • Store, share, compromise, or destroy Kajabi or customer data or access unnecessary, excessive or significant amounts of data. 
  • Modifying data in Kajabi's systems or services is strictly prohibited.
  • Continue the test if any personal data (other than your own) is encountered. If Personally Identifiable Information (PII) is encountered, you should immediately stop your testing purge related data from your system, and immediately contact Kajabi. This step protects any potentially vulnerable data, and you.
  • Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests. Disrupting Kajabi's services or systems in any way is not allowed.
  • Interruption or degradation of Kajabi’s services related to your testing could result in legal action.
  • Engage in any activity that can potentially or actually cause harm to Kajabi, our customers, our customers end users, or our employees.
  • Social Engineering of any kind is not permitted.
  • Engage in any activity that violates any applicable federal or state laws or regulations or the laws or regulations of any country where data, assets, or systems reside, data traffic is routed, or the researcher is conducting research activity.

You must always:

  • Comply with data protection rules and must not violate the privacy of Kajabi’s users, staff, contractors, services or systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.
  • Securely delete all data retrieved during your research as soon as it is disclosed.
  • Avoid privacy violations, destruction of data, and follow a code of conduct
  • Use your own account for testing or research purposes. Do not attempt to gain access to other customers and our customers' end users accounts or confidential information.

Legalities

This policy is designed to be compatible with common vulnerability disclosure best practices. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause Kajabi or any affiliated companies to be in breach of any legal obligations. Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.

The following terms apply to this policy and to any rewards paid to you for disclosing vulnerabilities: 

  • You must comply with the terms of this policy and all applicable laws and must not compromise or disrupt any data that is not your own. 
  • You are responsible for any tax implications for rewards depending on your country of residency and citizenship. There may be additional restrictions on your ability to submit depending upon your local law(s).
  • We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.
  • Kajabi can use and share your findings and submissions in any way for any purpose. 

Rewards

It is in Kajabi’s sole discretion whether to reward vulnerability disclosures. Kajabi reserves the right to determine the amount and type (swag, etc.) of any reward. We will only reward the individual that is the first to report a vulnerability to us and will not reward for purely informative reports. 

Kajabi employees, contractors, and vendors and their family members are not eligible for rewards.  

We reserve the right to disqualify individuals for:

  • Demanding financial compensation as a condition to disclosing any vulnerabilities 
  • Disrespectful, disruptive, dishonest, or otherwise inappropriate behavior
  • Being 13 years of age or younger
  • If you are at least 14, but are considered a minor in your place of residence, you must get your parents' or legal guardian’s permission prior to participating. 
  • Residing in, associating with, or making your submission from, a country, jurisdiction or area against which the United States has issued export sanctions or other trade restrictions designated by the United States Treasury's Office of Foreign Assets Control.
  • Not complying with the coordinated disclosure terms or any other public disclosure of the vulnerability prior to resolution or without Kajabi’s consent.
  • Being prohibited by law(s) as a payee
  • Violation of this policy
  • Or any other reason not mentioned above at Kajabi’s discretion

 

Thanks for submitting a vulnerability report and collaborating with us to improve security! 

Last updated: August 2022