Includable takes the upmost responsiblity in keeping the Includable Platform and any data stored by users secure. This page lists the security standards and technologies we use to do this.
Includable and Scholica are FERPA (Family Educational Rights and Privacy Act) compliant so your student data is absolutely secure and will never be used to target advertisements without your explicit consent.
HTTPS (SSL) everywhere
All Includable web URLs that require user authentication or otherwise contain personal information are only available through an secure HTTPS connection. This is true for the main Includable and Scholica domains
scholica.courses, as well as any custom domains set up by Includable customers. Custom domains use Letsencrypt to automate the HTTPS certificate generation process.
- A SSL report for includable.com can be viewed on ssllabs.com.
- Includable servers have been patched for the Heartbleed and POODLE vulnabilities.
- Includable supports the TLS 1.0, 1.1 and 1.2 protocols, and does not support the deprecated protocols SSLv2 and SSLv3.
- Strict Transport Security (HSTS) is enabled for any application subdomain.
- Authentication cookies are saved with SecureOnly and HTTPOnly flags.
Includable database servers are located within the European Entrepreneurial Region (EER). Specifically, our application and database servers are located in data centres in Dublin, Ireland. File storage and our content delivery network uses a series of edge servers in Europe, Asia and the United States.
Infrastructure services are provided by Amazon Web Services (AWS) and DigitalOcean.
Data back ups
Includable utilizes Amazon's automatic backups of file and database storage and creates monthly offsite static back ups.
Includable enforces a password policy that requires all user-created passwords to be at least 6 characters long by default. Administrators of Includable Platform accounts are able to add more policy features.
Includable has ISO 29147 & 30111 compliant vulnability disclosure workflows in place, as well as a bug bounty program. Vulnabilities can be disclosed through firstname.lastname@example.org.
We utilize the Common Vulnerability Scoring System (CVSS) for determining the Severity of an individual vulnerability.
Verifiable proof the vulnerability exists (screenshot/video/script) is required to receive an award.
For more technically elaborate vulnerabilities, reproduction steps are required. If our security team cannot reproduce and verify an issue, a bounty cannot be awarded.
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
A good bug report should include the following information at a minimum:
- List the URL and any affected parameters
- Describe the browser, OS, and/or app version
- Describe the perceived impact. How could the bug potentially be exploited?
Findings not eligible for bounty:
- Vulnerabilities affecting outdated browsers or platforms
- Recently disclosed 0-day vulnerabilities
- "Self" XSS
- Open redirects
- Missing cookie flags
- SSL/TLS best practices
- Information disclosures
- Mixed content warnings
- Denial of Service attacks
- "HTTP Host Header" XSS
- Clickjacking/UI redressing
- Missing crumb parameters
- Software version disclosure
- Account/e-mail enumeration
- Reflected file download attacks
- Incomplete or missing SPF/DKIM
- Physical or social engineering attacks
- Results of automated tools or scanners
- Login/logout/unauthenticated/low-impact CSRF
- Presence of autocomplete attribute on web forms
- Using unreported vulnerabilities to find other bugs
- Self-exploitation (i.e. password reset links or cookie reuse)
- Issues related to networking protocols or industry standards
- Use of a known-vulnerable library (without proof of exploitability)
- Descriptive/verbose/unique error pages (without proof of exploitability)
- Missing security-related HTTP headers which do not lead directly to a vulnerability
Eligibility and Coordinated Disclosure
You will be eligible for a bounty only if you are the first person to disclose an unknown issue to Includable. The Includable development team has 30 days to respond to the report, and up to 90 days to implement a fix based on the severity of the report. Please allow for this process to fully complete before you publicly disclose the vulnerability. Note that posting details or conversations about this report before it has been approved for disclosure or posting details that reflect badly on this program and the Includable brand will result in forfeiture of any award and/or immediate removal from the program.
Vulnability reports log
When adding content through the WYSIWYG editor in multiple locations
in the Courses module, it was possible to add malicious
Version affected: beta-2
Communities affected: StartupSpirit
Version fixed: 2.0.0
A theoretical XSS attach was possible through the
communityon login pages, of which the value was printed in the resulting HTML without sanitation. This type of attack is improbable as it would have yielded any interesting information: the user wasn’t signed in yet.
Communities affected: all
When entering an empty username in the login form of communities
that use external LDAP authentication, a request to the LDAP would
still be sent, which allowed a theoretical DDoS attach, as some LDAP
servers have rate limiting based on the user that is singing in.
Communities affected: Bernardinuscollege
Custom domain names do not use SSL, which allows network spoofing to
find passwords, especially on large corporate networks with many
users logging in to Includable every few minutes.
Communities affected: Bernardinuscollege
Implemented solution: SSL is required for all authentication attempts (update: all custom domains are now automatically provided with a SSL certificate).
If you wish to secure your email transactions with us, please use our PGP key below.
EE0F 4B84 A58A 3FF0 5728 9044 7599 4EE6 D0F1 FD7F
-----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBFlvtoQBEADCBrY9I+Vdvvi4zLF3qMBYKN8yUKYKRsUUVFvblymC//WA fD+13F3MOGWHRqRYBfHA0yZdSdNE6d50YZzV/UN98yBKHnaP7QLJhNlQ3qKH mu/NdN9tDiltSa60PvhaVwSbNlO/ksqdYIYLMkJe6uEkXzCDkGp/hs+uy3vO XDygYmsuJDlhWtZQWwMat/vX8qsNAfKZnAzgTdTdO3jkJHwausjEeEBcTqPd N2lqbYbWMZGdzQlVGduLRDL0xGF+IpjZNWln8/W+I2oSdgI+EFU1BL7HKLGz Oa0eL6RrrqflUwR1cbTpD9gX2NpTAZUbWXNVD6wKfy2hm5SAqbWDE02p4e+J noBkVTW+g3bkWEPuCQ5SGNtrnKEOGnOnceHb0THbQ0x6252A6oSckLQW+4Of Vehx/MNkVox0tzkgVQe/tbngdjhFwo5K1P0sGRuH0cwI5Nl7SahGVKOhTUgI nNkeSu4B2NQFEMXjtGjMHZTPjh2lMawFI8QHC15H11DB2TsUa5vkiV8sElnF 26DpyiRKyL4lG9XRROOmSTY1Dpu5obJGOV9n08U7i0zUGfusaFOT2ZcjT0d7 V/SH9vN4xB+zL2/DRS2kKS8CER3iZv0HxD2M9Y5JjstpVHRXLXoZYcL3n6W1 pfqhuig6sIJzp8RjSo6FPP7wSEg9y1oZ3zsd6QARAQABzSdUaG9tYXMgU2No b2ZmZWxlbiA8dGhvbWFzQHNjaG9saWNhLmNvbT7CwXUEEAEIACkFAllvtogG CwkHCAMCCRB1mU7m0PH9fwQVCAIKAxYCAQIZAQIbAwIeAQAAsk8QAKXLR54G j41iAoOkuKh+aG4bGIxCMxB2uP1C2+fJTWdKBdWFV6cgQk7OLcZtotnjU5HN CtOc5DX3ySacjCSs52KOtV8+E9ZV8PuMmRENimfnd/zFjBfS5VlQxaGPFRFf m3xGytitcaMH+YptWfz8FnWTJZqVrAgpcfvd7OGSB/QJeXjLPTxkAeYeuFwk 4zF7zx6Eid8ziHLW3tK3vLuv3/0FlBFeM7f8IWeqjqVm86BUXbez4/6DfanX yAIszQwMA3itcdaPt5l11TxXY05yKJa+TrygZ6hT7oyzIDqdpGyDk7vet/9g GGXOHS3bvR6cuDFtpul44ZuBdXedLym9U7+Rh0MSdGGFQEl6xM2gsoEDXv14 2kzeZgXvDQHeYfXm0sxH04UeJ4pgDhBMhPxneT2e0YJXGN/mkuLVChAw8AqS dHpw7UwnvpSdBP8zJMESMpBMQx7q7hDBAd6wU4g7VjXfGPR70W8+DvVSAjsd VdjHAH5gZFND3IKObjLMMaR1QfuHWyICaVzUw7V1thGXcVNwh+A1qKn0y6l9 xjIYoY2I4VC4OwP+x3I4GtRKYS5fObRwFmB4zMrI9syRTPe3dscURq1q+nT4 B7NhpSCTmJkuqUvqhPAxetKUDlf7ZdBT1gwYEJM05e+pe8YSuaNlGp4NRrz5 ZoBDCyZxqQCwkaRczsFNBFlvtoQBEACcO7d4Z7Br6/rP90N04E/6wYFK/kPa 156jDNa0Y7Hod5lLyQUZxjnIbx746CgtybUvKogRgjEdEGfpYRE5coww4BGX w7ybFP6LgXRVdfydRe9sPS4et6m7qOZIM/m1ERbf0JZ2uP7bd9ec4JrgwpMT 73FH0Xc00EeaWWHqertw0Yy64xGwPdOurhUSDbFC3DC4q6g7aPGHcfBkpwta NC0FeJMOh9ZkXq8qfQVG6HF2ybv4IvotgoCXHqCiFFhtlDhW2muF6tSYiuhZ MozUQtZZs0kYFQ+G86mVLX+hDLk8Y03vrVtqItz6mKvDcD1bc/lcsVkTjT8E 2juLPfhjXitVisuSI6jjHCh0UOvaivkwVPX3+mqwbYSJQ9ybsZdVCgTQ+FRG ilUcoC1LThglPZleEXrCh+k1I0VCffqDeMmNYPOcouZBWaPnjFLv9jgRF0di jvB6VtQ/ZYq4wgYZz5gZUMTj+HZ4vVhcHRfD8eXTaGfblfX+eF2+HdEETCV1 7370oPzi8fuoiAz810iHhmFhAhzdeYX9ihTMB4SHaiGaKflgX+PaDMDKuf85 qeWn7N+3rvgrKcXc69ladnLdlUcHZJVASlmL94SKEn3bi8m6iXA3fB+KRPco zJY3JVCcms9H7UDJWNVV2AIJ32h1IWGe5+nmcQFxWCkLja6qn/PigwARAQAB wsFfBBgBCAATBQJZb7aJCRB1mU7m0PH9fwIbDAAAiJMP/2fZfTz2Ufoy0Pm9 ltah5a42My4rvLLynosZhttcmNwPp3qRmIHsRHNzNeqbZNRGUxAEjQeh3Z09 76FlghntCfgWXhKlh25un2c0W/zKLC7YF8/NCrxi3lDTvqdSpKlpWlXmX4sJ QkNddwIZcDntp+oqmZ8irNg1e5yYKFPkKQ1Hv5CARGMIMlAPARdQfV6ampsF xdFVKav91xOIRljV6/3t5pWUDi9nuUwz812qHGq3c+dyLhEAb8xBARSHNGJo ihQge6gr19noaomt6MmCybNq4OHVtLnIFY4tyBfX9vQY+Uw0E7PmAao668qI JzC9uh8RiDHmtlDNN5MJ4ZyKkG0F1IDh7B3EOBaqziJs2muBEz20YWVeDfMB 5tt8u2yxVshID6RApEGYgpb3GcqWCZi2zi2daru/H5n2QxVCrYRMNeX1010L qkOQgb/AQ83MaGfbwH/4vx3pPKbvaOUyIUjrK2bKzGwoVwUrWhOJczqHnCa8 1A8YVL1axuTIP3CT6R7RdduVKlJuBUG3i+pZjlGeAKTCAMVfGkoUJz717voR Y2/h/fwDcL3btmYADnzzIh1xIRZH4WAMqzPS8VgVSMcZ+NYJNYKbyxXg2pPs KAyTLUTv34SM51GMGdY6y0rg8N0ftNyDFphoutwoEiTPTPls7z14sUvcdv9e 2/1Fechg =9e0f -----END PGP PUBLIC KEY BLOCK-----