AWARE7 highly appreciates the detection of security vulnerabilities, which is carried out by well-intentioned, ethical security researchers. We strive to thoroughly investigate and solve security problems in our platform and services in cooperation with the community. This document aims to define a method by which AWARE7 can work with the community to improve security.
This Security Disclosure Policy (SDP) applies only to vulnerabilities in AWARE7 products and services under the following conditions:
Only vulnerabilities that were not originally and previously reported and not already discovered by internal procedures are included in the scope of the SDP.
Only domains that have a security.txt file in their root are included in the scope. Sub-domains are included in scope if their parent domain is in scope. (i.e. the existence of: https://riskrex.com/.well-known/security.txt means that app.riskrex.com and www.riskrex.com are also included in the scope).
The following security issues are currently not in scope (please do not report them):
- Volumetric vulnerabilities (i.e. simply overloading our service with a high volume of requests).
- TLS configuration vulnerabilities (e.g. „weak“ cipher suite support, TLS1.0 support, sweet32 etc.)
- Reports of non-exploitable vulnerabilities
- Reports indicating that our services do not fully comply with best practice, e.g. missing security headers (CSP, x-frame-options, x-prevent-xss etc.) or suboptimal email-related configuration (SPF, DMARC etc.)
- Social engineering attacks such as phishing, vishing, smishing or impersonation
Unfortunately, due to various internal factors, we are currently unable to offer a paid bug bounty program on a regular basis. However, we would like to give a token of our appreciation to security researchers who take the time and effort to investigate security vulnerabilities and report back in accordance with this policy. Reporters of qualified vulnerabilities will be rewarded with a unique AWARE7 or monetary reward.
Reporting a vulnerability
If you have discovered an issue that you believe is a security vulnerability within the scope (see Section 2 above for more details on scope), please send an email with the following information to email@example.com:
The website or page where the vulnerability exists.
A brief description of the class (e.g. „XSS vulnerability“) of the vulnerability. Please avoid at this stage any details that would allow the problem to be reproduced. Details will be requested later via encrypted communication.
In accordance with industry conventions, we ask reporters to provide benign (i.e. non-destructive) evidence of exploitation wherever possible.
This will help ensure that the report can be reviewed quickly and accurately, while reducing the likelihood of duplicate reports and/or malicious exploitation for some classes of vulnerabilities (e.g. sub-domain takeovers). Please ensure that you do not send proof of exploitation in the first plain text email if the vulnerability is still exploitable. Please also make sure that any evidence of exploits complies with our policies (below). If in doubt, please send an email to firstname.lastname@example.org. Please read this document completely before reporting vulnerabilities to ensure that you understand and can act in accordance with the policy.
In response to your initial email to email@example.com, you will receive a confirmation response email from the AWARE7 security team, usually within 24 hours of receiving your report. After the initial contact, our security team will evaluate the reported vulnerability and respond to you as soon as possible to confirm whether further information is required and/or whether the vulnerability falls within the scope of the above-mentioned section or whether it is a duplicate report. From this point on, the necessary corrective action will be assigned to the appropriate AWARE7 teams and/or suppliers.
Priority for bug fixes and/or mitigations will be assigned based on the severity of the impact and the complexity of the exploitation. Vulnerability reports may take some time to review and/or fix, you are welcome to inquire about the status of the process, but please do not limit this to once every 14 days. This helps our security team to focus on the reports as much as possible. Our security team will notify you when the reported vulnerability is resolved (or remediation is planned) and will ask you to confirm that the resolution adequately covers the vulnerability. We will provide you with the opportunity to provide feedback on the process and the vulnerability resolution. This information is used confidentially to help us improve the way we handle reports and/or develop services and fix vulnerabilities.
Security researchers must not:
access unnecessary amounts of data. For example, 2 or 3 data sets are sufficient to prove most vulnerabilities (e.g. an enumeration or a vulnerability with direct object reference);
violate the privacy of AWARE7 users, employees, contractors, systems, etc. For example, by sharing, redistributing and/or improperly securing data accessed from our systems or services;
Communicating vulnerabilities or related details of methods not described in this policy or to anyone other than your specific BBC security contact;
changing data in our systems/services that is not your own;
disrupt our services and/or systems; or
Disclosure of vulnerabilities in AWARE7 systems/services to third parties/the public before AWARE7 confirms that these vulnerabilities have been mitigated or fixed. This does not prevent a vulnerability from being reported to third parties to whom the vulnerability is directly relevant, e.g. if the reported vulnerability is in a software library or framework – but the details of the specific vulnerability of AWARE7 may not be disclosed in such reports. If you are unsure about the status of a third party to whom you wish to send an alert, please send an email to firstname.lastname@example.org to resolve the issue.
We request that all data retrieved during the investigation be securely deleted as soon as it is no longer needed and no later than 1 month after the vulnerability has been resolved, whichever is sooner. If at any time you are not sure whether the measures you are planning to take are acceptable, please contact our security team (please do not include sensitive information in the initial notification): email@example.com.
This SDP is designed to be compatible with the usual good practice of security researchers. It does not give you permission to act in a manner that violates the law or to allow AWARE7 to breach any of its legal obligations. This includes, but is not limited to:
- The hacker paragraph §202c of the german penal code
- The GDPR
AWARE7 will not prosecute security researchers who report a security vulnerability in an AWARE7 service in good faith and in accordance with this SDP.
If you have any feedback or suggestions regarding this policy, please contact our security team at firstname.lastname@example.org. This policy will evolve over time, and your input is valued to ensure that it is clear, complete and remains relevant.