Security overview

Includable takes the upmost responsiblity in keeping the Includable Platform and any data stored by users secure. This page lists the security standards and technologies we use to do this.

FERPA compliance

Includable and Scholica are FERPA (Family Educational Rights and Privacy Act) compliant so your student data is absolutely secure and will never be used to target advertisements without your explicit consent.

HTTPS (SSL) everywhere

All Includable web URLs that require user authentication or otherwise contain personal information are only available through an secure HTTPS connection. This is true for the main Includable and Scholica domains includable.com, scholica.com and scholica.courses, as well as any custom domains set up by Includable customers. Custom domains use Letsencrypt to automate the HTTPS certificate generation process.

  • A SSL report for includable.com can be viewed on ssllabs.com.
  • Includable servers have been patched for the Heartbleed and POODLE vulnabilities.
  • Includable supports the TLS 1.0, 1.1 and 1.2 protocols, and does not support the deprecated protocols SSLv2 and SSLv3.
  • Strict Transport Security (HSTS) is enabled for any application subdomain.
  • Authentication cookies are saved with SecureOnly and HTTPOnly flags.

Server hosting

Includable database servers are located within the European Entrepreneurial Region (EER). Specifically, our application and database servers are located in data centres in Dublin, Ireland. File storage and our content delivery network uses a series of edge servers in Europe, Asia and the United States.

Infrastructure services are provided by Amazon Web Services (AWS) and DigitalOcean.

Data back ups

Includable utilizes Amazon's automatic backups of file and database storage and creates monthly offsite static back ups.

Password policy

Includable enforces a password policy that requires all user-created passwords to be at least 6 characters long by default. Administrators of Includable Platform accounts are able to add more policy features.

Vulnability disclosure

Includable has ISO 29147 & 30111 compliant vulnability disclosure workflows in place, as well as a bug bounty program. Vulnabilities can be disclosed through security@includable.com.

We utilize the Common Vulnerability Scoring System (CVSS) for determining the Severity of an individual vulnerability.

Disclosure Policy

Verifiable proof the vulnerability exists (screenshot/video/script) is required to receive an award.

For more technically elaborate vulnerabilities, reproduction steps are required. If our security team cannot reproduce and verify an issue, a bounty cannot be awarded.

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

A good bug report should include the following information at a minimum:

  • List the URL and any affected parameters
  • Describe the browser, OS, and/or app version
  • Describe the perceived impact. How could the bug potentially be exploited?

Findings not eligible for bounty:

  • Vulnerabilities affecting outdated browsers or platforms
  • Recently disclosed 0-day vulnerabilities
  • "Self" XSS
  • Open redirects
  • Missing cookie flags
  • SSL/TLS best practices
  • Information disclosures
  • Mixed content warnings
  • Denial of Service attacks
  • "HTTP Host Header" XSS
  • Clickjacking/UI redressing
  • Missing crumb parameters
  • Software version disclosure
  • Account/e-mail enumeration
  • Reflected file download attacks
  • Incomplete or missing SPF/DKIM
  • Physical or social engineering attacks
  • Results of automated tools or scanners
  • Login/logout/unauthenticated/low-impact CSRF
  • Presence of autocomplete attribute on web forms
  • Using unreported vulnerabilities to find other bugs
  • Self-exploitation (i.e. password reset links or cookie reuse)
  • Issues related to networking protocols or industry standards
  • Use of a known-vulnerable library (without proof of exploitability)
  • Descriptive/verbose/unique error pages (without proof of exploitability)
  • Missing security-related HTTP headers which do not lead directly to a vulnerability

Eligibility and Coordinated Disclosure

You will be eligible for a bounty only if you are the first person to disclose an unknown issue to Includable. The Includable development team has 30 days to respond to the report, and up to 90 days to implement a fix based on the severity of the report. Please allow for this process to fully complete before you publicly disclose the vulnerability. Note that posting details or conversations about this report before it has been approved for disclosure or posting details that reflect badly on this program and the Includable brand will result in forfeiture of any award and/or immediate removal from the program.

Vulnability reports log

July 2017

  • MINORFIXED Minor XSS vulnability in the 'Finish My Account' screen on the fields 'first name' and 'last name', allowing user to pass in certain specific Javascript expressions.

January 2017

  • MINORFIXED When adding content through the WYSIWYG editor in multiple locations in the Courses module, it was possible to add malicious <script> tags.
    Version affected: beta-2
    Communities affected: StartupSpirit
    Version fixed: 2.0.0

August 2016

  • MINORFIXED A theoretical XSS attach was possible through the GET-parameter community on login pages, of which the value was printed in the resulting HTML without sanitation. This type of attack is improbable as it would have yielded any interesting information: the user wasn’t signed in yet.
    Communities affected: all

December 2014

  • MEDIUMFIXED When entering an empty username in the login form of communities that use external LDAP authentication, a request to the LDAP would still be sent, which allowed a theoretical DDoS attach, as some LDAP servers have rate limiting based on the user that is singing in.
    Communities affected: Bernardinuscollege

September 2014

  • HIGHFIXED Custom domain names do not use SSL, which allows network spoofing to find passwords, especially on large corporate networks with many users logging in to Includable every few minutes.
    Communities affected: Bernardinuscollege
    Implemented solution: SSL is required for all authentication attempts (update: all custom domains are now automatically provided with a SSL certificate).

PGP key

If you wish to secure your email transactions with us, please use our PGP key below.

Fingerprint: EE0F 4B84 A58A 3FF0 5728 9044 7599 4EE6 D0F1 FD7F

-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBFlvtoQBEADCBrY9I+Vdvvi4zLF3qMBYKN8yUKYKRsUUVFvblymC//WA
fD+13F3MOGWHRqRYBfHA0yZdSdNE6d50YZzV/UN98yBKHnaP7QLJhNlQ3qKH
mu/NdN9tDiltSa60PvhaVwSbNlO/ksqdYIYLMkJe6uEkXzCDkGp/hs+uy3vO
XDygYmsuJDlhWtZQWwMat/vX8qsNAfKZnAzgTdTdO3jkJHwausjEeEBcTqPd
N2lqbYbWMZGdzQlVGduLRDL0xGF+IpjZNWln8/W+I2oSdgI+EFU1BL7HKLGz
Oa0eL6RrrqflUwR1cbTpD9gX2NpTAZUbWXNVD6wKfy2hm5SAqbWDE02p4e+J
noBkVTW+g3bkWEPuCQ5SGNtrnKEOGnOnceHb0THbQ0x6252A6oSckLQW+4Of
Vehx/MNkVox0tzkgVQe/tbngdjhFwo5K1P0sGRuH0cwI5Nl7SahGVKOhTUgI
nNkeSu4B2NQFEMXjtGjMHZTPjh2lMawFI8QHC15H11DB2TsUa5vkiV8sElnF
26DpyiRKyL4lG9XRROOmSTY1Dpu5obJGOV9n08U7i0zUGfusaFOT2ZcjT0d7
V/SH9vN4xB+zL2/DRS2kKS8CER3iZv0HxD2M9Y5JjstpVHRXLXoZYcL3n6W1
pfqhuig6sIJzp8RjSo6FPP7wSEg9y1oZ3zsd6QARAQABzSdUaG9tYXMgU2No
b2ZmZWxlbiA8dGhvbWFzQHNjaG9saWNhLmNvbT7CwXUEEAEIACkFAllvtogG
CwkHCAMCCRB1mU7m0PH9fwQVCAIKAxYCAQIZAQIbAwIeAQAAsk8QAKXLR54G
j41iAoOkuKh+aG4bGIxCMxB2uP1C2+fJTWdKBdWFV6cgQk7OLcZtotnjU5HN
CtOc5DX3ySacjCSs52KOtV8+E9ZV8PuMmRENimfnd/zFjBfS5VlQxaGPFRFf
m3xGytitcaMH+YptWfz8FnWTJZqVrAgpcfvd7OGSB/QJeXjLPTxkAeYeuFwk
4zF7zx6Eid8ziHLW3tK3vLuv3/0FlBFeM7f8IWeqjqVm86BUXbez4/6DfanX
yAIszQwMA3itcdaPt5l11TxXY05yKJa+TrygZ6hT7oyzIDqdpGyDk7vet/9g
GGXOHS3bvR6cuDFtpul44ZuBdXedLym9U7+Rh0MSdGGFQEl6xM2gsoEDXv14
2kzeZgXvDQHeYfXm0sxH04UeJ4pgDhBMhPxneT2e0YJXGN/mkuLVChAw8AqS
dHpw7UwnvpSdBP8zJMESMpBMQx7q7hDBAd6wU4g7VjXfGPR70W8+DvVSAjsd
VdjHAH5gZFND3IKObjLMMaR1QfuHWyICaVzUw7V1thGXcVNwh+A1qKn0y6l9
xjIYoY2I4VC4OwP+x3I4GtRKYS5fObRwFmB4zMrI9syRTPe3dscURq1q+nT4
B7NhpSCTmJkuqUvqhPAxetKUDlf7ZdBT1gwYEJM05e+pe8YSuaNlGp4NRrz5
ZoBDCyZxqQCwkaRczsFNBFlvtoQBEACcO7d4Z7Br6/rP90N04E/6wYFK/kPa
156jDNa0Y7Hod5lLyQUZxjnIbx746CgtybUvKogRgjEdEGfpYRE5coww4BGX
w7ybFP6LgXRVdfydRe9sPS4et6m7qOZIM/m1ERbf0JZ2uP7bd9ec4JrgwpMT
73FH0Xc00EeaWWHqertw0Yy64xGwPdOurhUSDbFC3DC4q6g7aPGHcfBkpwta
NC0FeJMOh9ZkXq8qfQVG6HF2ybv4IvotgoCXHqCiFFhtlDhW2muF6tSYiuhZ
MozUQtZZs0kYFQ+G86mVLX+hDLk8Y03vrVtqItz6mKvDcD1bc/lcsVkTjT8E
2juLPfhjXitVisuSI6jjHCh0UOvaivkwVPX3+mqwbYSJQ9ybsZdVCgTQ+FRG
ilUcoC1LThglPZleEXrCh+k1I0VCffqDeMmNYPOcouZBWaPnjFLv9jgRF0di
jvB6VtQ/ZYq4wgYZz5gZUMTj+HZ4vVhcHRfD8eXTaGfblfX+eF2+HdEETCV1
7370oPzi8fuoiAz810iHhmFhAhzdeYX9ihTMB4SHaiGaKflgX+PaDMDKuf85
qeWn7N+3rvgrKcXc69ladnLdlUcHZJVASlmL94SKEn3bi8m6iXA3fB+KRPco
zJY3JVCcms9H7UDJWNVV2AIJ32h1IWGe5+nmcQFxWCkLja6qn/PigwARAQAB
wsFfBBgBCAATBQJZb7aJCRB1mU7m0PH9fwIbDAAAiJMP/2fZfTz2Ufoy0Pm9
ltah5a42My4rvLLynosZhttcmNwPp3qRmIHsRHNzNeqbZNRGUxAEjQeh3Z09
76FlghntCfgWXhKlh25un2c0W/zKLC7YF8/NCrxi3lDTvqdSpKlpWlXmX4sJ
QkNddwIZcDntp+oqmZ8irNg1e5yYKFPkKQ1Hv5CARGMIMlAPARdQfV6ampsF
xdFVKav91xOIRljV6/3t5pWUDi9nuUwz812qHGq3c+dyLhEAb8xBARSHNGJo
ihQge6gr19noaomt6MmCybNq4OHVtLnIFY4tyBfX9vQY+Uw0E7PmAao668qI
JzC9uh8RiDHmtlDNN5MJ4ZyKkG0F1IDh7B3EOBaqziJs2muBEz20YWVeDfMB
5tt8u2yxVshID6RApEGYgpb3GcqWCZi2zi2daru/H5n2QxVCrYRMNeX1010L
qkOQgb/AQ83MaGfbwH/4vx3pPKbvaOUyIUjrK2bKzGwoVwUrWhOJczqHnCa8
1A8YVL1axuTIP3CT6R7RdduVKlJuBUG3i+pZjlGeAKTCAMVfGkoUJz717voR
Y2/h/fwDcL3btmYADnzzIh1xIRZH4WAMqzPS8VgVSMcZ+NYJNYKbyxXg2pPs
KAyTLUTv34SM51GMGdY6y0rg8N0ftNyDFphoutwoEiTPTPls7z14sUvcdv9e
2/1Fechg
=9e0f
-----END PGP PUBLIC KEY BLOCK-----