Responsible Disclosure Policy
At Alfen, the security of our systems is a top priority. Despite our best efforts, vulnerabilities may still exist.
If you discover a vulnerability, we appreciate your cooperation in helping us address it promptly and effectively.
Reporting a Vulnerability
To report a vulnerability, please follow these steps:
- Report your findings on our Vulnerability Disclosure Program (VDP) hosted on the Intigriti platform. You will need to register on the platform to submit your report.
- Do not exploit the vulnerability by downloading more data than necessary, deleting, or modifying data, or performing any actions that could harm the system or its users,
- Do not disclose the vulnerability to others until it has been resolved,
- Do not engage in physical security attacks, social engineering, distributed denial-of-service (DDoS) attacks, spam, or unauthorized interactions with third-party applications, AND
- Include sufficient details to help us reproduce and understand the problem. Typically, the IP address or URL of the affected system and a description of the vulnerability will suffice, though more complex issues may require additional explanation.
What We Promise
- We will respond to your report within 3 business days with an evaluation and an expected resolution date.
- If you adhere to the guidelines above, we will not pursue legal action against you for the vulnerability report.
- We will handle your report with strict confidentiality and will not share your personal details with third parties without your permission.
- We will keep you informed about the progress of resolving the issue.
- In any public disclosure of the resolved vulnerability, we will credit you as the discoverer, unless you request otherwise.
- All rewards will be managed by Intigriti in accordance with their terms and conditions. Please note that we do not pay out bounties directly through our VDP Program.
More information on rewards can be found here: Intigriti Leaderboard, Reputation, and Streak.
Legal Safe Harbour
Alfen is committed to encouraging responsible disclosure and ethical hacking.
To ensure that security researchers feel confident in disclosing vulnerabilities without fear of legal repercussions, we offer the following legal safe harbour:
- Alfen considers ethical hacking, conducted in accordance with this policy, to be “authorized” under applicable criminal and civil laws.
- Alfen will not pursue legal action or file complaints for any accidental or good faith violations committed in the process of vulnerability research.
- If legal action is initiated by a third party against you for activities consistent with this policy, and you have complied with the terms, Alfen will make it known that your actions were authorized and conducted with our approval.
We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.