Responsible Disclosure Policy
Introduction
At AMPECO, we are committed to maintaining adequate security for all our solution components. We regularly use automated vulnerability scanning tools, perform third-party penetration testing, and investigate vulnerabilities reported via different channels.
We would like to receive confidential information about potential weaknesses in our services. If you are a developer or a researcher and have discovered information that might be helpful for us in addressing security vulnerabilities, you may use the channel defined below.
We do not operate a Bug bounty program, and we will not provide you with any monetary reward for your responsible disclosure.
Safe Harbor
If you follow this policy during your security research, we will consider your research authorized; we will work with you to understand and resolve the vulnerabilities identified, and AMPECO will not pursue legal action related to your research.
Guidelines
We expect you to follow the following while performing your security research:
Notify us as soon as possible after you discover a real or potential security vulnerability. Once you've established that a vulnerability exists or encounter any sensitive data (including personally identifiable information), you must stop your test, notify us immediately, and not disclose this data to anyone else.
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
Provide us with a reasonable amount of time to resolve the issue and authorize the public disclosure.
Communication
Our preferred method of communication is email: [email protected]
In your responsible disclosure report, please describe the vulnerability, steps to reproduce the issue, and any potential impact or risk.
We will acknowledge the receipt of your vulnerability report within three days.
We operate a security risk assessment process for all reported vulnerabilities and may come back to you with additional questions to help us rate the potential impact. Once we complete our risk assessment, we will have the expected timeline for resolution. We will inform you whether and when we would support public disclosure of the identified vulnerability.
Testing methods
We do not authorize the use of:
- Network DoS/DDoS or other tests that impair access to or damage our systems or data;
- Social engineering or phishing;
- Penetration testing.
We have implemented a separate process to authorize penetration testing conducted by partners of our customers, so if you are a customer who is interested in performing a penetration test, please contact your Customer Success Manager at AMPECO. We do not authorize penetration testing performed by non-contracted parties.
Questions
If you have any questions on this policy, you may contact us at [email protected]
Last Updated: Dec, 2023