When autocomplete results are available use up and down arrows to review and enter to select. Touch device users, explore by touch or with swipe gestures.
When autocomplete results are available use up and down arrows to review and enter to select. Touch device users, explore by touch or with swipe gestures.
System security is a top priority at Leaseweb. Regardless of the amount of effort we put into the security of our systems, there can still be vulnerabilities present. No technology is perfect, and Leaseweb believes that working with skilled security researchers across the globe is crucial in identifying any weaknesses. We encourage you to notify us iIf you believe you have identified a security issue in our product or service so we can work together to promptly resolve the issue.
Guidelines for Responsible Disclosure
Notify us as soon as possible upon discovery of a potential security issue. We will make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third -party.
Only use official communication channels. Do not use personal emails, social media accounts, or other private connections to contact a member of the security team in regard to vulnerabilities or any program related issues, unless you have been instructed to do so by the program.
No unauthorized impersonation: any unauthorized attempts to socially engineer another party through impersonation of a Leaseweb employee, another hacker, or a security team will not be tolerated.
If you comply with all conditions set in these guidelines we will not take any legal action against you regarding this report.
Your report will be confidential and we will not share your personal information with third parties without prior consent, unless it is necessary to comply with a legal obligation.
Free services for security researchers: we may refund the costs of Leaseweb services if vulnerabilities within our systems are found. The decision to refund and the subsequent amount refunded is at the discretion of Leaseweb.
Difference between Leaseweb services and customer services: vulnerabilities may be found in customer’s services that are leased from Leaseweb but not managed by us. If these vulnerabilities are discovered, we will be unable to resolve the issue or offer any rewards. If this happens, we will put you in contact with our customer, if it is feasible.
Rewards
To show our appreciation of responsible security researchers, Leaseweb offers bounties for reports of qualifying security vulnerabilities. Bounties will be awarded in the form of financial compensation(s) or Leaseweb merchandise. The amount that is rewarded per bounty is at the discretion of Leaseweb and will be based on the internal severity rating of the disclosed vulnerability. The bounty will be communicated after validation of the security vulnerability by our internal teams.
Eligibility
To qualify for a reward, you must:
Be the first reporter of the vulnerability
Follow the guidelines as described on this page
Not publicly disclose the vulnerability prior to our resolution
Provide a working proof of concept that exploits the security issue. The PoC should include at least:
Details on what the vulnerability is
The steps that we should take to reproduce the vulnerability
What kind of impact the attack would have if the vulnerability is exploited
Solely use your created accounts and not access data of other users
Not be an inhabitant of any country listed on the Specially Designated Nationals and Blocked Persons (SDN) list
Not be an inhabitant of any country listed on the Consolidated List of persons, groups and entities subject to EU Financial Sanctions list.
Exclusions
While researching, we would like to ask you to refrain from:
Social engineering (including phishing) of Leaseweb staff or contractors
Any physical attempts against Leaseweb property or data centers
Physical attack on the infrastructure
Denial of service
Login/Logout CSRF
Self-XSS (we require evidence on how the XSS can be used to attack another Leaseweb user)
Missing of rate limits
Report from automated tools and scans
Bugs in 3rd party software
X-Frame-Options related
Missing cookie flags on non-sensitive cookies
Missing security headers which do not lead directly to a vulnerability (unless you deliver a PoC)
DKIM/SPF/DMARC issues (we are aware they are missing and working on resolution)
Version exposure (unless you deliver a PoC of working exploit)
Directory listing with already public readable content
Content spoofing on error pages or text injection
How to Report
Please send your initial findings to security@leaseweb.com. If needed, you can use our PGP-key to encrypt your message. This key can be found here.
Thank you for helping to keep Leaseweb and our users safe!