Security Vulnerability Reporting

Responsible Disclosure Policy

At Altostrat, the security of our products and services is our highest priority. We value the contributions of the security research community and believe that responsible disclosure is crucial for maintaining a secure environment for everyone.

Policy Scope

This policy applies to security vulnerabilities discovered in the following Altostrat-owned systems and services:

  • The Altostrat SDX Platform (*.altostrat.io)
  • The main Altostrat marketing website (altostrat.com)
  • Publicly documented Altostrat APIs
  • Any other Altostrat-branded product or service
  • responsibleDisclosure.scope.item5

Any service not explicitly listed, such as third-party services we use, is excluded from scope.

How to Report a Vulnerability

If you believe you have discovered a security vulnerability, please report it to us by emailing our security team directly at:

security@altostrat.io

Please use encrypted communication (e.g., PGP) for sensitive details. We aim to acknowledge receipt within 2 business days.

What to Include in Your Report

To help us investigate and resolve the issue efficiently, please provide detailed information:

  • Clear description of the vulnerability and its potential impact.
  • Detailed, step-by-step instructions to reproduce the vulnerability.
  • Any proof-of-concept code, scripts, or screenshots.
  • The affected product/service name and version if known.
  • Your name and contact information for follow-up.
  • responsibleDisclosure.include.item6

Prohibited Activities

While we encourage security research, you must not engage in the following activities:

  • Engage in any activity that could cause a Denial of Service (DoS/DDoS).
  • Access, modify, or exfiltrate data that does not belong to you.
  • Attempt to violate the privacy of our users, customers, or employees.
  • Engage in social engineering (including phishing).
  • Conduct physical attempts against Altostrat property or data centers.
  • Use automated scanners that produce high volumes of traffic.
  • Perform any destructive testing.
  • Publicly disclose a vulnerability before it has been remediated.

Engaging in prohibited activities may result in your report being disregarded.

Our Commitment

When you report a vulnerability in good faith and adhere to this policy, Altostrat commits to:

  • Acknowledge receipt of your report promptly (target: 2 business days).
  • Investigate the report in a timely manner.
  • Work diligently to remediate confirmed vulnerabilities.
  • Maintain open communication and provide status updates upon request.
  • Offer public recognition for valid reports if desired (we do not offer monetary rewards).

Safe Harbor

Altostrat will not initiate legal action against individuals for discovering and reporting security vulnerabilities in accordance with this policy. We consider security research conducted under this policy to be authorized conduct. You are expected to comply with all applicable laws.

Out-of-Scope Vulnerabilities

The following findings are generally considered out of scope unless a specific, significant impact can be demonstrated:

  • Clickjacking on pages without sensitive actions.
  • Missing security best practices without a direct vulnerability.
  • Self-XSS and issues affecting only outdated browsers.
  • Content spoofing / text injection.
  • Vulnerable libraries without a working Proof of Concept.
  • Weak TLS/SSL configurations.
  • Disclosure of known public files (e.g., robots.txt).
  • Unverified findings from automated scanners.
  • Logout CSRF.
  • Presence of autocomplete attributes.
  • Rate limiting or brute force issues without clear impact.
  • Missing cookie flags on non-sensitive cookies.
  • Email security findings (SPF/DKIM/DMARC) on non-mailing domains.

This list is not exhaustive. Decisions on scope are at the discretion of our security team.

Thank you for helping keep Altostrat and our users secure.