Kromtech Security Center Research Policy

Who we are

Kromtech Security Center was established in Dec 2015 with the goal to help protect private data, identify data leaks, and follow a responsible disclosure policy.

While you might not know our name, you likely know our work. Many of our discoveries have been covered in major news and technology media, earning Kromtech Security Research Center a reputation as one of the fastest-growing cyber data security departments on the planet.

We regularly conduct security research to locate any possible data exposures in the databases owned by various companies, organizations, and institutions. You can read some of our recent reports here: https://kromtech.com/blog.

Key contacts:

Kromtech Security Team
https://kromtech.com/blog/security-center
security@kromtech.com
bdiachenko@kromtech.com
Twitter: @kromtech

Our mission

Kromtech Security Center (KSC) is focused on monitoring digital risks and privacy violations beyond the boundary. Our mission is to make the digital world safer by educating businesses and communities worldwide. We work hard to identify cyber threats, data leakage, and reputational risk by addressing the following (but not limited to) factors:

Privacy data

User privacy is a big deal — and big business for cybercriminals. The digital footprint of most organizations is made up of personal, technical, and highly confidential information. In many cases, we’re talking about proprietary information.

Cybercriminals and hostile groups are intent on exploiting this information to find an organization’s weak points and launch targeted cyber-attacks. Unfortunately, most security teams are understaffed, under-skilled, and not able to handle complex privacy protection. They need distilled, relevant information about their exposure online, the threats they face, and ways to mitigate them. That’s where we come in.

Our legal basis to process data

When we process data, we rely on the legitimate interest as the lawful basis for processing.

The company that decides to rely on legitimate interest must do a legal balancing test. Here's a short summary of our analysis.

Purpose test: are we pursuing a legitimate interest?

Necessity test: is the processing necessary for that purpose?

Balancing test: do the individual’s interests override the legitimate interest?

How we discover exposures and vulnerabilities

To discover data breaches, leakages, and vulnerabilities on the Internet, we use Shodan Search Engine together with our internally-developed Public Exposed Data Analyzer.

When we find a public database (data that’s fully accessible to anyone without any restrictions) we collect several digital samples for further analysis. If these samples contain any kind of private and sensitive data, we employ a Responsible Disclosure model to privately communicate our findings with data owners (the company or organization that left the information publicly accessible) and help them implement specific security safeguards to protect their private data.

But we don’t stop there. Next, we prepare a non-public report on our findings in accordance with the following guidelines:

Types of data we look for

Shodan Search Engine API helps us find specific information about hosts connected to the Internet, including:

Public Exposed Data Analyzer gathers information about databases including:

Next, we analyze 20 records of each discovered database, table, or collection, which are contained in MongoDB or CouchDB. Then, from storage services like Amazon S3 (Simple Cloud Storage Service) or RSync, we collect a list of its content.

Our main goal is to find public sensitive data and alert the company about this to prevent different data leaks.

How we process exposed data

After finding a publicly available source of data, our security analysts examine its consistency and define the value of that data (i.e. if it contains any sensitive personal information).

Our researchers use non-intrusive tools (in most cases just a browser) to review and understand the found information. The results are then transferred internally for further analysis.

All the found data is stored internally on Kromtech’s protected servers for analyzation. We employ strict these practices to ensure that the data can’t be compromised:

About the Responsible Disclosure model we follow

We look for vulnerabilities because we care about the people whose data may be compromised and the companies that are unaware of their poor security. That’s why we employ best practices for reporting and non-dissemination of any information we find. Here’s a look at what we do:

We respect the sanctity of the data that is uncovered in our findings. We wish nothing more than to cooperate in good spirit and offer reasonable assurances with regard to security of the data that’s within our control.