Security issue reporting and bug bounty guidelines.

Scope

This program covers the Ackaia Corp. services and current internal servers/systems operated by Ackaia Corp.

The Ackaia Corp. components in-scope are:

  • Ackaia Corp. Trustcenter
  • Ackaia Corp. Servers
  • The following websites: ackaia.com and any other subdomains on ackaia.com

No bounties will be given for any disclosures relating to any applications outside the scope of
this program.

Exclusions

The following items are considered out-of-scope for all Ackaia Corp. offerings:

  • Hypothetical issues that do not have any practical impact. Examples include:

a) Vulnerabilities reported by use of automated tools/scanners, without
accompanying validation.

b) User enumeration without any further impact.

c) Disclosure of software version numbers (we maintain forks of several tools,
and apply security patches accordingly).

  • Attacks that require social engineering/phishing.
  • Attacks that require physical access to the user’s device.
  • Attacks that involve the user running malware that then places or modifies content on
    the target machine, which Ackaia could later run as the local user.

* However, any case that allows malware or compromised software to perform
privilege elevation through Ackaia Servers/Services, without providing administrative
credentials or confirming a UAC dialog, is in scope.

  • Open redirects or linkfilter bypasses that cannot be leveraged to programmatically
    exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).
  • Content Spoofing / Text Injection that cannot be leveraged for XSS or sensitive data
    disclosure (e.g., clickjacking attacks, content manipulation by element inspection,
    etc.).
  • Host header injection without a specific proof of concept.
  • Self XSS or XSS that affects only out-of-date browsers.
  • Denial of Service Attacks.

Dependencies

Ackaia Corp. services make use of a number of open source and commercial packages. If you discover a vulnerability in a library or OS component, we strongly advise you to follow responsible disclosure procedures directly with the vendor. We will not pay bounties on undisclosed vulnerabilities in dependent components.

Patches to dependent libraries are generally rolled out by our internal change management systems. Reports will not be accepted if they refer to vulnerabilities that have been fixed upstream, and scheduled, but not yet applied to our software or production systems.

We welcome reports that identify Ackaia Corp. systems that have fallen out of date (indicating a problem with our update or change-management procedures).

Special Note for Ackaia Corp. Websites

Many Ackaia Corp. websites use a cookie called ‘sessionid.’ This is used only as an anti CSRF token and is not used for user authentication. Please do not report attacks resulting in leaking the value of this cookie as account takeover vulnerabilities.

Assessing Severity and Rewards

For valid reports that are in scope, Ackaia Corp. will determine appropriate rewards.

Remote Code Execution reports

Remote code execution attacks can be complex to triage and assess. We place a premium on reports that can clearly demonstrate impact to users, and which are faster to technically validate.

Your report must meet the following requirements to be accepted:

  1. Actual RCE must be demonstrated. Your report should include clear steps that
    reliably launch another application – e.g. Calculator – on the target machine.
  2. The payload must be delivered over the network – not loading resource files already
    on the target computer.

Responsible Disclosure and Guidelines

When submitting potential vulnerabilities, we ask that you follow Ackaia’s general guidelines for disclosure as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.

  • Let us know as soon as possible upon discovery of a potential security issue, and
    we’ll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to
    the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and
    interruption or degradation of our service.

Ackaia Corp. embraces transparency in our security. We will generally disclose the details of vulnerabilities found, upon request. We will generally permit external discussions of them (such as blog posts), with our permission. We reserve the right to make exceptions to this policy at our discretion.

Please note that we will not consent to disclose reports if they have been marked out-of-scope or inapplicable, or where Ackaia Corp. has not taken a specific corrective action / mitigation

The Fine Print

You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.

We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.

Ackaia Corp. will have the right to determine CVSS classification, report validity, duplications, exclusions and out-of-scope bugs in its sole discretion. Reports received through other channels prior to the paid bug bounty program launch are not eligible for monetary rewards.