Vulnerability Disclosure Programme (VDP)
At Avallain, we prioritise the security and integrity of our products and services. As part of our commitment to maintaining a safe environment for our customers and partners, we have established a Vulnerability Disclosure Program (VDP) together with HackerOne, the world’s largest community of trusted ethical hackers.
This program allows security researchers to report vulnerabilities responsibly and securely.
How to report a security vulnerability to us
If you have discovered a potential vulnerability, we encourage you to report it to us right away through our VDP. Please use our secure submission form to report the vulnerability. Include all necessary details, such as the affected system, steps to reproduce the issue, and any supporting evidence (e.g., screenshots, logs).
Research Guidelines
While we reserve final and sole discretion for whether you are acting in good faith and in accordance with this Policy, we will generally presume you are acting in good faith if you abide by this Policy for conducting security research and discovering potential vulnerabilities related to the Information Systems and agree to the following:
- Stay Within Scope: Ensure your testing respects our defined scope and does not cause harm or disruption to our systems and services. Refer to our VPD scope and guidelines for more information.
- Respect Privacy: Avoid accessing, modifying, or deleting any data other than your own. Respect the privacy of our customers and partners at all times.
- Wait for Acknowledgment: Our security team will review your submission and provide an acknowledgment within a reasonable timeframe. We may request additional information or clarification.
- Collaborate for Resolution: We will work with you to understand the vulnerability and develop a resolution. Once the issue is resolved, we will provide you with feedback and, if applicable, public recognition for your contribution.
Also:
- You will use your @wearehackerone.com email address when creating any accounts for the purpose of testing and add a X-HackerOne-Handle: <your handle> to your requests.
- You are testing Information Systems for the sole purpose of identifying or discovering a potential vulnerability or any associated indicator of a vulnerability and reporting such information to us.
- You will avoid causing any harm to the Information Systems, including avoiding any data destruction, use, access, or acquisition; disruption of Information Systems or any customer user experience (including initiating denial of service attacks or using tools that generate substantial amounts of traffic); violation or compromise of the privacy or security of our customers, employees, or other users; or other illegal or harmful activities.
- You will avoid exploiting any vulnerability beyond what is minimally required to reasonably prove that such potential vulnerability exists, including avoiding accessing, acquiring, or using data that may be accessible from exploiting the vulnerability.
- You will avoid accessing, acquiring, or using the content of any communications, data, or information transmitted or stored on the Information Systems, unless such access is inadvertent.
- You will not exfiltrate, download, or otherwise retain any data that you collect. If you inadvertently access any data, you will report such access to us as part of your report.
- You will avoid disclosing the existence of or any details relating to the discovered vulnerability to a third party or to the public until you have received prior written notice from us. We fully support researchers’ right to publicly disclose vulnerabilities they discover. We ask only to coordinate on the timing of such disclosures to prevent potential harm to our services, customers, and other parties. Researchers are free to report similar vulnerabilities in other services – we will never attempt to restrict such disclosures.
- You must not perform any attacks that would compromise the security or confidentiality of any account that is not your own.
- You must not perform any social engineering attacks (phishing, vishing, etc.) on any Avallain employee, contractor, or representative.
- You must not, as a condition of disclosure, require payment or compensation, or otherwise make threats to disclose the vulnerability in an irresponsible manner.
- You, at all times, are in compliance with all applicable federal, state, and local laws in connection with your research activities.
Recognition
We value the contributions of security researchers and appreciate their efforts to help us improve our security. Depending on the severity and impact of the vulnerability reported, you will gain reputation in the HackerOne community. Maintaining a high reputation unlocks various privileges, including the eligibility to receive invitations to private bug bounty programs.
Disclaimer
By participating in our VDP, you agree to follow our guidelines and adhere to responsible disclosure practices. Any actions that violate our guidelines or cause harm to our systems, data, or users will not be tolerated.
Contact Us
If you have any questions or need further assistance, please contact our security team at security AT avallain DOT com. We are committed to working together to maintain a secure environment for everyone.
