Responsible Disclosure Policy
Policy Scope
This policy applies to security vulnerabilities discovered in the following Altostrat systems and services:
- Altostrat SDX Product Suite
- Altostrat Compliance Platform
- Altostrat EDR Product Suite
- The primary Altostrat marketing website and associated subdomains
- Publicly exposed Altostrat APIs
Any service not explicitly listed above, including third-party services used by Altostrat, is excluded from scope unless specified otherwise.
How to Report a Vulnerability
If you believe you have discovered a security vulnerability within the scope of this policy, please report it to us by emailing our security team directly at:
Please use encrypted communication (e.g., PGP) if possible when transmitting sensitive details. Contact us for our public key if needed. We aim to acknowledge receipt within 2 business days.
What to Include in Your Report
To help us investigate and address the issue efficiently, please provide detailed information in your report:
- Clear description of the vulnerability type and its potential impact.
- Detailed, step-by-step instructions to reproduce the vulnerability (including URLs, screenshots, code snippets, environment details).
- Any proof-of-concept code or tools used (avoid sending malicious executables).
- The affected product/service name and version (if applicable and known).
- Your name and contact information (optional, but needed for acknowledgement/follow-up).
- Any proposed mitigation or remediation steps (optional).
Prohibited Activities
While we encourage security research, you must not engage in the following activities:
- Denial of Service (DoS or DDoS) attacks.
- Accessing, modifying, exfiltrating, or deleting data that does not belong to you.
- Attempting to violate the privacy of our users, customers, or employees.
- Social engineering (including phishing) of Altostrat personnel or customers.
- Physical attempts against Altostrat property or data centers.
- Using automated vulnerability scanning tools that produce high network traffic volume without prior coordination.
- Destructive testing that could interrupt services or damage systems.
- Posting, transmitting, uploading, linking to, or sending any malware.
Engaging in prohibited activities may result in your report being disregarded and could lead to legal action. When in doubt, please contact us first.
Our Commitment
When you report a vulnerability in good faith and adhere to this policy, Altostrat commits to:
- Acknowledge receipt of your report promptly (target: within 2 business days).
- Investigate the reported vulnerability thoroughly and in a timely manner.
- Work diligently to remediate confirmed vulnerabilities based on severity and impact.
- Maintain open communication, providing status updates upon reasonable request (balancing transparency with security needs).
- Offer public recognition for valid reports if desired by the researcher (we do not currently offer monetary rewards/bug bounties).
Safe Harbor
Altostrat will not initiate legal action against individuals for discovering and reporting security vulnerabilities in accordance with this policy. We consider security research and vulnerability disclosure activities conducted strictly following this policy to be authorized conduct. We waive potential claims under anti-circumvention laws (like the DMCA) for research adhering to this policy. Should legal action be initiated by a third party against you related to activities compliant with this policy, we will take reasonable steps to make it known that your actions align with this policy. You are expected to comply with all applicable laws.
Out of Scope Vulnerabilities
The following types of findings are generally considered out of scope. While we appreciate all reports, these typically do not qualify for acknowledgement under this program unless a specific, significant impact can be demonstrated:
- Clickjacking on pages without sensitive actions or state changes.
- Missing security best practices (e.g., rate limiting without clear impact, missing common HTTP headers like HSTS) unless leading directly to a vulnerability.
- Self-XSS that cannot be used to exploit other users.
- Content spoofing / text injection without demonstrating impact.
- Publicly known vulnerable libraries/versions without a working Proof of Concept demonstrating exploitability in our context.
- TLS/SSL configuration weaknesses (e.g., weak cipher suites, BEAST/CRIME) without a demonstrated practical exploit.
- Disclosure of known public files or directories (e.g., robots.txt, sitemap.xml).
- Findings from automated scanning tools without manual verification and impact assessment.
- Logout Cross-Site Request Forgery (CSRF).
- Presence of autocomplete attribute on web forms.
- Denial of Service related to resource exhaustion (unless demonstrating a novel or low-cost technique).
- Missing cookie flags (HttpOnly, Secure) on non-sensitive cookies.
- Email security findings (SPF, DKIM, DMARC) related to informational domains not sending mail.
This list is not exhaustive, and decisions on scope are at the discretion of the Altostrat security team.
Thank you for helping keep Altostrat and our users secure.