Report Software Vulnerability

What to do if you identify a software vulnerability in any KAMAR product

Inbox Design takes security very seriously, and investigates all reported vulnerabilities. Please report any suspected security vulnerability in a Inbox Design product or service.


How to Contact Us

Suspected vulnerabilities can be reported by:

Please ensure you clearly indicate that you are reporting a security vulnerability  (eg, including Security Vulnerability in the email subject)

While you can submit a report without supplying valid contact information, if you did it would be impossible for us to contact you if further details are needed. The information you share with us as part of this process is kept confidential and will not be shared with third parties without your permission. Further information about how we collect, store, use and dispose of information can be found in our Privacy Statement.

Please provide any supporting material (proof-of-concept code, tool output, screenshot, etc.) that would be useful in helping us understand the nature and severity of the vulnerability or the abuse that is happening.


How We Respond

If your contact details are supplied, we will respond to you acknowledging receipt of the report and outlining the next steps in the process. Once the report has been submitted, Inbox Design will review it and assign it a tracking number. Our team will then work to validate and rate the reported vulnerability.

Inbox Design will try to score the vulnerability according to the Common Vulnerability Scoring System base metric system. The initial score will be based on the information you provided. The assigned score will be adjusted as further information is collected and more in-depth tests are performed by Inbox Design.

If additional information is required in order to validate or reproduce the issue, Inbox Design will work with you to obtain it. When the initial investigation is complete, results will be delivered to you along with a plan for resolution.


Third Party Products

If the vulnerability is found to affect a third party product used in the Inbox Design IT infrastructure or software, we will notify the author of the affected software. Inbox Design will continue to co-ordinate between you and the third party. Information which could disclose your identity will not be disclosed to the third party without your permission.


Responsible Disclosure

In order to protect our customers, Inbox Design requests you do not post or share any information about a potential vulnerability to any third party or in any public setting. You may share the information with Inbox Design administrators at the school that provided your log-in access. KAMAR management may share the information with appropriate school staff.

Inbox Design will co-ordinate public notification of a validated vulnerability to it's clients. Where a vulnerability is known to have been exploited, it is the school's responsibility to disclose to affected people (ie, staff, students and/or caregivers). When possible, we would prefer that our respective public disclosures be posted simultaneously to prevent any further exploitation of the vulnerability.

The timing of any public notification may be staged or delayed until the vulnerability has been addressed, depending on the severity and impact of the vulnerability.

Please understand that addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems.

Inbox Design will undertake to notify interested parties in a timely manner, including (but not limited to):

  • Client Schools
  • Ministry of Education (Data and Security)
  • Office of the Privacy Commissioner
  • Affected Third Parties