Vulnerability disclosure policy
This policy applies to any vulnerabilities you are considering reporting to Allies Computing.
We recommend reading this policy in full before you report a vulnerability and request that you always act in compliance with it.
We value those who are willing to take the time and effort to report security vulnerabilities according to this policy and always welcome your feedback. We do not, however, offer monetary rewards for vulnerability disclosures.
If you believe you have found a security vulnerability relating to any of our systems or services, please submit a vulnerability report via email to firstname.lastname@example.org.
In your report please include details of:
- The website URL or API endpoint where the vulnerability can be observed;
- A brief description of the type of vulnerability, for example; "XSS vulnerability"; and
- Steps to reproduce. These should lead to a benign, non-destructive, proof of concept and include any API keys or service accounts used to demonstrate the vulnerability. This helps to ensure that your report can be reviewed and triaged quickly. It also reduces the likelihood of duplicate reports and helps limit exploitation of some vulnerability types.
What to expect
After your report has been submitted, we will respond to your report within 5 working days and aim to triage your report within 10 days from submission.
We will assess priority for any necessary remediation by considering the impact, security and exploit complexity. Vulnerability reports might take additional time to fully triage or assess. You are welcome to enquire on the status or supply any additional information via email to email@example.com.
We will aim to notify you when the reported vulnerability has been remediated and may invite you to confirm that the solution adequately covers the vulnerability.
You must NOT:
- Break any applicable laws or regulations;
- Access unnecessary, excessive or significant amounts of data of any form;
- Modify data in our systems or services;
- Use high-intensity invasive or destructive scanning tools to probe our systems or find vulnerabilities;
- Attempt or report any form of denial of service, eg. intentionally attempt to overwhelm any of our services or their service components with a high volume of requests;
- Disrupt our services or systems via any means;
- Submit reports detailing non-exploitable vulnerabilities; reports indicating that services are not aligned with any "best practices" regardless of source; reports detailing TLS configuration weaknesses including "weak" cipher suite support or TLS 1.0 support etc;
- Communicate any vulnerability reports or associated details by means other than via email to firstname.lastname@example.org;
- Attempt to social engineer, "phish" or physically attack any of staff, business locations or infrastructure; or
- Demand financial compensation for vulnerability disclosure or non-disclosure.
- Always comply with established UK Data Protection legislation, and must not violate the privacy or licensing of any data held by us or within our systems. You must not, for example, share, redistribute or fail to properly secure data retrieved from our systems or services; and
- Securely delete all data retrieved during your research as soon as it is no-longer required or within 1 month of the vulnerability being resolved (whichever occurs first), or as otherwise required under data protection law.
This policy is intended to be compatible with widely adopted vulnerability disclosure good practice. It does not give you permission to act in any manner inconsistent with the law, or to cause Allies Computing or our partners to be in breach of any legal obligations.