Here at Akeero we are committed to providing secure products and services to our customers, and welcome reports from independent researchers, industry organisations, vendors, customers, and other sources concerned with security. If you believe you have discovered a potential security vulnerability with our products or services, we look forward to receiving your report, and appreciate your help in disclosing the issue to us responsibly.
Out of Scope Vulnerabilities
Akeero defines a security vulnerability as an unintended weakness in a product or service that could allow an attacker to compromise the integrity, availability, or confidentiality of that product or service. When reporting vulnerabilities, please consider:
- The attack scenario / exploitability, and
- The security impact of the bug
The following issues are considered out of scope:
- Denial of service attacks
- Password cracking attempts, including but not limited to:
- brute forcing
- rainbow attacks
- word list substitution
- pattern checking
- Clickjacking on pages with no sensitive actions
- Attacks requiring takeover of the email or social account authenticating the victim account.
- Tab-nabbing on non-user provided links
- Unauthenticated/logout/login CSRF
- Attacks requiring MITM or physical access to a user’s device
- Previously known vulnerable libraries without a working Proof of Concept (PoC)
- Comma Separated Values (CSV) injection without demonstrating exploitation via a PoC
- Missing best practices in SSL, TLS and HTTP header configuration
- Social engineering attacks (including phishing, vishing, smishing)
- Software version disclosure
- Issues requiring direct physical access to hardware
- Flaws affecting out-of-date browsers and plugins
- Email enumeration / account oracles
- CSP weaknesses
- Email spoofing
- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS
We will investigate all eligible reports and do our best to fix valid issues quickly.
We ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps required to reproduce what you have observed. In doing so, please make every attempt possible to protect our customers’ privacy, data confidentiality, and integrity – we very much value your assistance in preserving those.
Our customers’ privacy, data confidentiality, and integrity is crucial at Akeero. You agree that you will not disclose vulnerability information to any other third party, until granted permission to do so from Akeero. We endeavor to grant such permission within two to four weeks from the release of the fix that addresses the discovered vulnerability.
Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue or access other users’ data – in other words, violate this policy.
- The severity of a vulnerability within a report will be verified using the NVD CVSSv3.1 calculator. The severity rating coming from that calculation will be considered final
- Bounties are not guaranteed and are issued solely at the discretion of Akeero
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty
- You must disclose all possible ways to exploit an issue in your original report. Akeero will not issue a bounty, follow-on bounty, or bonus if we believe you are abusing this process by not providing complete information in your initial report
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be eligible for a reward. This usually requires a working PoC typically in the form of a clickable link that we can verify. Videos or screenshots are not considered definitive proof and you may be asked to provide additional information
- Submit one vulnerability per report, unless you need to chain vulnerabilities to demonstrate combined impact
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced)
- Social engineering (e.g. phishing, vishing, smishing) is prohibited
- Lateral movement from a compromised host is prohibited
- Any manipulation or further exploit past the initial PoC is prohibited
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder
- Please submit your report to sirt(at)akeero.com. Your report should include a detailed description of the issue, and the steps required to reproduce what you have observed. In doing so, please make every attempt possible to protect our customers’ privacy, data confidentiality, and integrity – we very much value your assistance in preserving those
- Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue or access other users’ data – in other words, violate this policy
Akeero’s default policy is to acknowledge all researchers who submit a valid security vulnerability report. We are a small startup, and although we can’t match large companies when it comes to monetary bounty awards, we understand the value of a good submission and we do offer researchers a few different awards options.
Any such bounty will be awarded after an Akeero team member has confirmed the issue during the Triage process. We generally won’t wait to award a bounty until after the item is fixed as we understand some issues may have long lead times in deploying fixes. Bounties are only awarded for actual security or privacy impacting reports, and not for functionality or other types of bugs.
Upon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution.
Akeero will make a best effort to meet the following timelines:
- Time to first response (from report submission) – 1 business day
- Time to triage (from first response) – 1 business day
- Time to acknowledgment (from triage) – 10 business days
We’ll try to keep you informed about our progress throughout the process.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.