My site was diagnosed with a security vulnerability. What should I do?
If you have received alerts or recommendations from a vulnerability assessment, please contact our Support Team. We will look into them and respond with the best course of action.
Please note that depending on the nature of the issue(s), we may determine that no action is required. Also, some automatic detection software are prone to misdiagnoses. Therefore, please verify that the findings are valid before sending them to us.
Findings that do not require further action
The following findings are considered low-risk and/or do not require further attention.
Non-actionable findings
- HTTP 3xx status codes
- Headers such as
X-Content-Type-Options
Findings that are difficult to address due to CMS features
- X-XSS-Protection disabled on the admin panel, usually because updates have been misdiagnosed as errors by the update screen.
Findings that are difficult to address for security or convenience reasons
- Displaying whether or not an email in the password reminder exists (when the limit to the number of times this can be displayed is reached)
- Displaying the presence or absence of the e-mail address during member registration (when the limit to the number of times this can be displayed is reached - this can be prevented by choosing the option to register by only entering the email address, then registering it in the reply email)
- Forcing frequent password changes (this can be set on the management screen)
- When the SameSite attribute of the cookie is not set to Strict (the cookie on the management screen is set to Strict, but in the case of the API, it is set to None)
Non-urgent findings
- Items that are not vulnerable, such as [INFO].
However, we may still ask you to present these items in some cases.
Findings beyond the scope of Kuroco's services
- Vulnerabilities resulting from front-end implementation, as well as omitted settings on the API or in the management screen. If you have a plan to solve these issues, you can contact our support team and we will do our best to support you, if applicable.
More information
Support
If you have any other questions, please contact us or check out Our Slack Community.