KORE Responsible Disclosure Policy

Introduction

If you have discovered a vulnerability in a system, network, or application of the KORE Group (which includes the parent entity and all affiliates and subsidiaries), we would like to know about it so we can take appropriate action to remediate the issue as soon as possible. We will outline the rules of engagement below, which both KORE and you must follow. 

Policy

At KORE we take information security very seriously. We understand no system can ever be fully secure and therefore we always keep in mind that vulnerabilities may exist in our systems. Because we consider the confidentiality and integrity of our customer information a top priority, we would like you to notify us in case a vulnerability has been identified within our systems.

Our Responsible Disclosure Policy consists of a set of rules that both KORE and the person reporting the vulnerability should adhere to. Please note that KORE does not have a so-called “bug bounty program” by which it may provide (high amounts of) financial rewards to the identifier of a vulnerability.

What will KORE do?

  • We will always investigate and respond to every notification.
  • We will respond to a notification within 3 working days and we will treat the finder’s personal information as confidential.
  • If we confirm the existence of a vulnerability, then we will keep the finder informed about the reasonable timeframe within which we wish to resolve the issue.
  • If we decide to make the vulnerability public, then we will consult the person who found the vulnerability. We will provide public recognition to the finder if the finder appreciates this.
  • If this policy is adhered to, then KORE will refrain from reporting (attempted) hacking activities to the police.

What we require of you

  • You will report the identified vulnerability exclusively to KORE and therefore not to any 3rd party.
  • Your report should contain as much information as possible to enable the identification of the vulnerability. This information includes, among others: IP-Addresses, Log files, URLs, timestamps, screenshots, etc.
  • You will see to it that your actions during and after the process of identifying vulnerabilities will all be made in good faith, meaning you will:
    • Not use or exploit the vulnerability for any other purpose than to verify the existence of the vulnerability;
    • Not copy, change, move or remove any information from the relevant system;
    • Will not make any changes to the relevant system itself; and
    • Will not, in any way or form, provide or help provide access to the relevant system.
  • The finder may report the identified vulnerability anonymously. However, for the purposes of follow-up communication, we will need a valid email address of yours.

How to report?

To be able to report an identified vulnerability in any of our systems to us, you should contact security@korewireless.com. To safeguard the confidentiality and integrity of the information we would like you to encrypt the information. Our public key is listed below or can be retrieved from usual PGP key servers. Our key ID is 1BAF317C, 4096 bits RSA, created on 2019-05-03, expires 2024-05-03, with key fingerprint:

Key fingerprint = 7E080B7582A490431019B4B2FF842ABC1BAF317C

The easiest way to retrieve our key:

gpg --recv-keys 1BAF317C

Below is our public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFzMNn0BEAC4OwqIhJ2DPPexNISn9pnQ9pHkIk90N0aszpQAFtwCqEYGobDR
GebY2NIGbmGGPUs8UEZk/B2/AtXuw4Pc0w2YGTkB9M3whI/0pgV1NHQH7ICI8aRr
xKG9/IYJpbCRqBtOALzP7O1MqODgw7hf2h6caKb6JWuBVE2+ukei2VaIcM3cXzT4
akUGaxJTihaNxyVYr+E43E2oJRTZrD5tlzZ9axo3j8Ri0AnNJYOM51zpHiWHoUo/
ZO7+b84XpVu1kNYgFMkirsxxHWFmxpENUd5ktk0dnyiZxABZFmiVA9mMmPFAI5Rn
oJXi0ToUUieKFJyOx7V1AGthRcQxJDfD7NJCkDiQRQTQIEP0O+hinxJy6JyaSyYi
+2Yrpe4OREkReUODdECA/QuVOlyw0SnLdSfJIrtgiba7yaEelP3zhhCZL8d4vlnf
KxDYoD7XsJo/A+SvSQ/qHaJOeLM6u5sIarYrzqkL1a57+waYzMLESgLpxpFiUe/O
cHRt0sAuT9MGdIf99zjXTifsJUvARlxmvHDlWTze4Fk/hJgyeXZfXPBY1KDgqtFq
UJenhjE2tXEiyLQqQRxBmE4QmWBL9kA/pM+UkaoN8zAnhsnp9yCFCk6e5PYZkIQw
cwCYGgSBdAW3Ecu1Ue6+AjB7th8gZDo4FXHaT9qXTXCBmHNXZcio88gxuwARAQAB
tClLT1JFIFNlY3VyaXR5IDxzZWN1cml0eUBrb3Jld2lyZWxlc3MuY29tPokCVAQT
AQgAPhYhBH4IC3WCpJBDEBm0sv+EKrwbrzF8BQJczDZ9AhsDBQkJaH8jBQsJCAcC
BhUKCQgLAgQWAgMBAh4BAheAAAoJEP+EKrwbrzF8XPcP/0nJsia2ruSqejzNvHOc
F78jx6QVNDLxBQYEis7HZ7O80XByxzvN9yZqUxLwjHvkJC6N3f6wYZcRn89VXRrt
ea3Xqutcv5zH4DmtCMHc9HxT4ylEt+tQMsw+3wrm6LQ21QWeHaTSkiafCE8KE6mh
UrYOGjewLSWt5PtN+kaZhgmxl5Jmg+v0uathDcAW5syZ6HEfD5O4B66OiLmE4FvO
Jq//5lrKEv+COFlnGVIPJCuTus04sryJuOqU7qg5v+G9vbS+PH5cfNUZcPuPjAzY
BMiLqtodfsC3nesaE0k2EmZOpt3aCJzc4eI8BEqbwWT491hgd27KSQgprNYgCtuB
oKX24YpYsYJjkp/PopjEypEE1bqm34pFyP6+FBMQthAZBf8t3zLQAenLboIKQhOL
b/RQQws50bWEXktOmFcK+LOR1ucliswWfv3lYOc1ihe51WywtP8pfirzyVSlkfS9
dQQvxMcX6+tCmk2dmy/tkwbXQOASTZUdCZhel494wCEpEQpdhgD3NmzGaqUvhCWk
MMAG5kcecTqgcxF6LnHWgXP+InOglXzwe6jGe9RJ+GfNKKZ4k0YsdmZtkgS9yKkp
NbBaWsJxe6RCFLr0ljffQFCR/rsIgeUBtTj306hCQP7+mNTStFuJ1eY1tmflMm5R
R2Bxe/mxajiz/v7XosDIryzsuQINBFzMNn0BEACgdHw/6DEoUNu1068UL8+G7g0z
KUNIFN7VsI98R+0kaNr9MeW14YPaT6SiC+Z9KcwFzTDmNVI+bUHrAv+T1kAivOHg
FWKnHJ8dfxKYxPZYiFd6NZtltyYF5o11xUijUI6l+Uj3EkFQBgrUNR4IAWq3IJcX
5HzVBLTMWBP5W5NmenL5MyXIwCapODoajGHC25xlAzC66C6ggX3fosm8oJ71ZIKD
zsgzb0LaPdzHhd7nkgJ/EBKIVeNZSGsN3lff1L9ry0fNkmkOE4/PP6CptcwQN9We
UcG7UOVntbdhASD1f5gU/Oc7VaUvg6Dwxh2mUmvHvd1y0VAPa+yQEDRNv7ZMr4Z2
/Tgh0Ecsv8Pn596keF1BxHesOOCqfk3iFRMkaHpGFh+zAZeBY8emJHRQGfjVXI2g
1sJZYP3FQrKrbItZJXD966dVTzAnk9HPcRJ63e/tc6Dl/rWyAhP8hxB3uDl0BnbC
ZEAauxtlm/ABKK98YHf7deEbgFp3SbI/FgUqUBsoMCLAG1QkYdI8Ns0gSQBtfV1W
GiOQ45X/rnsWnWHRLpSEIzsw/AmTA4FylQxseidFz8vNeLSZ0qlAPMOhieYSrDJn
dJEiKCy8NiUGVIYeCceJPQkj/WTFGs26KvCX0k769nzWuUTScBWACPDvPS3hvFva
YY9313FA/TWAQM2M7wARAQABiQI8BBgBCAAmFiEEfggLdYKkkEMQGbSy/4QqvBuv
MXwFAlzMNn0CGwwFCQlofyMACgkQ/4QqvBuvMXxFzw//ZgbkHsyHza3Bm73Q3hs0
u5sx3Ua1UzNehuW+q7ssIZWyU6Mm4NbDBcgjLnp1Y7tvwwE3VNlQ7diSInhku25f
avC6N0lZHS/0tniZfySp7H01Bke8lbFHKVVNYIRmtNKJyebgZqRoSh8fREJGS7pe
WuCG+mPFwhXauROHR5U1bhLGBO+itBRZBuYU2sPcyE43PWZlJzWHGtKiiQOyb68r
BXuAaZMWHWzf7bKimkIvNYeD5o6oGPHftCC/AJ6dNwaRgrz2H/lJAAZKLtxABzxF
oi8+0yR1T+vDmtxUkMdIeSJzahSayR8Mr5XjKZHvgwH9THVha+gYWVAWXyDxs5+2
HRbd4/hjl7rskrvNPubyuXeD9qwSsTty5z3F2OKjgXIO+G0xajk8Qo70s7UnQfLS
YgvQN15yJDaIWaRASPqwLF+2oMG619hDpoKBZyqdk7NnehdlSjXvLVusfsMKRadz
5bViyBPj7GDqzlJgkCL4E8L1SsCSzYgfeZKyNDG0BRoBBgPGZw5gbLEB4lalzwAr
e7uNtIf3kZwyWY0T7LqyZ/rKAyGVt8SQbDMVf9/tUGyHTCqQJhFAL0dAWy5nijba
kmX/uzLLhlV//Dp6NYfvFGhSeMIrA/Us+t9hEsFt/KeM7q1zAlBt+KBVVLHhuoQ1
6dx15Z8BEr9XTddw65R7HKg=
=/ZV6
-----END PGP PUBLIC KEY BLOCK-----

 

When you do not adhere to the rules of engagement

In case you hack one of our systems and you do not adhere to the rules of engagement as outlined in this procedure, then KORE will always report the incident to the Police.