At Maltego, we value the security of our systems and the privacy of our users. We welcome and encourage responsible disclosure of any potential security vulnerabilities found in our systems.
If you believe you have found a security vulnerability in one of our systems or products, we ask that you follow the guidelines below to report it responsibly.
Reporting Process 🔗︎
- Do not attempt to access, manipulate, or access other users’ data.
- Do not use the vulnerability for malicious purposes.
- Send us your notification via email to email@example.com (You may encrypt to our GPG key (fp: E895 4507 33BA EC10 79AF 35DB 7748 99F2 CDB6 BE42 - https://www.maltego.com/security_maltego.com-pub.asc)
- Please include the following information in your report:
- Your contact details (i.e., name, phone, email address, and PGP key if applicable)
- A description of the vulnerability identified
- The service/device/application impacted by the vulnerability (including hostnames/IPs)
- A step-by-step description of how to recreate the problem
- The source IP address(es) from which the security vulnerability was identified, together with the date, time, and time zone of the discovery (to help us find matching log entries)
- A zip archive containing any files helpful in reproducing the flaw (e.g., screenshots, PoC, code, scripts, pcap traces, logs, source IP addresses, etc.)
- Allow us reasonable time to investigate and resolve the issue before making any public disclosures.
In return, we will: 🔗︎
- Investigate all reports in a timely manner
- Keep you informed of our progress and provide a timeline for resolution.
- Provide a reasonable reward for any valid report, if applicable. Note that our governance rules prevent us from rewarding anonymous submitters (public statements can remain anonymous/pseudo-anonymous).
If you have any questions or concerns, please feel free to contact us at firstname.lastname@example.org.
Examples of Vulnerabilities We Will Consider 🔗︎
- Injection vulnerabilities (SQL/NoSQL) injection, command injection
- Object serialization/deserialization (JSON/XML/YAML) vulnerabilities
- Broken authentication or broken access control
- Data exposure (vulnerabilities that can lead to data leakage)
- Cross-site scripting and request forgeries
- Server-side request forgeries
- Redirect vulnerabilities
- Under-protected API
- Known and zero-day vulnerabilities
Vulnerabilities We Do Not Consider Part of Vulnerability Reporting 🔗︎
Our resources are not infinite; we ask that the following classes of vulnerabilities/threats not be actively sourced by external researchers.
- Output of well-known automated tools/scanners
- Social Engineering/Phishing against Maltego employees or partners
- Physical access attacks
- Vulnerabilities in a vendor we integrate with. If you find one, we would like to know about it
- Brute-force / rate-limit / velocity testing
Thank you for helping us keep our systems secure.