Vulnerability Disclosure Policy
Our team works vigilantly to protect our customers and their information assets impacted by our software. We recognize the important role that security researchers and our user community play in keeping Applied Training Systems Inc. (“ATSI”) and our customers secure. If you discover a site or product vulnerability please notify us using the guidelines below.
To encourage responsible disclosure, we commit that if we conclude that a disclosure respects and meets all the guidelines outlined below we will not bring a private action or refer a matter for public inquiry.
We strongly encourage anyone who is interested in researching and reporting security issues to observe the simple courtesies and protocols of responsible disclosure.
Guidelines for responsible disclosure
We request that you:
- Share the real or potential security issue with us before making it public to peers, on message boards, mailing lists, and other forums.
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
- Provide full details of the security issue, and be open to describing how you found it so we may reproduce the conditions.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems.
- Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
- Do not submit a high volume of low-quality reports.
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and ATSI will not recommend or pursue legal action related to your research.
At this time, the following services and applications are in-scope:
- Web application, services, and infrastructure on any of the following domains and subdomains:
- Anything with significant impact across our entire security posture or infrastructure
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in our third-party applications/services fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any).
Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first.
Out of Scope
We accept only manual or semi-manual tests. All findings coming from automated tools or scripts will be considered as out of scope. Furthermore, all issues without clearly identified security impact, missing security headers, or descriptive error messages will be considered out of scope.
These items also are considered to be out of scope:
- Attacks designed or likely to degrade, deny, or adversely impact services or user experience (e.g., Denial of Service, Distributed Denial of Service, Brute Force, Password Spraying, Spam…).
- Attacks designed or likely to destroy, corrupt, make unreadable (or attempts therein) data or information that does not belong to you.
- Attacks designed or likely to validate stolen credentials, credential reuse, account takeover (ATO), hijacking, or other credential-based techniques.
- Intentionally accessing data or information that does not belong to you beyond the minimum viable access necessary to demonstrate the vulnerability.
- Performing physical, social engineering, or electronic attacks against our personnel, offices, wireless networks, or property.
- Security issues in third-party applications, services, or dependencies that integrate with ATSI products or infrastructure that do not have a demonstrable proof of concept for the vulnerability (e.g., libraries, SAAS services).
- Security issues or vulnerabilities created or introduced by the reporter (e.g., modifying a library we rely on to include a vulnerability).
- Attacks performed on any systems not explicitly mentioned as authorized and in-scope.
- Reports of missing “best practices” or other guidelines which do not indicate a security issue.
- Attacks related to email servers, email protocols, email security (e.g., SPF, DMARC, DKIM), or email spam.
- Missing cookie flags on non-sensitive cookies.
- Reports of insecure SSL/TLS ciphers (unless accompanied with working proof of concept).
- Reports of how you can learn whether a given client can authenticate to a ATSI product or service.
- Reports of mappings between code names and client names.
- Reports of simple IP or port scanning.
- Missing HTTP headers (e.g. lack of HSTS).
- Software or infrastructure bannering, fingerprinting, or reconnaissance with no proven vulnerability.
- Clickjacking or self-XSS reports.
- Reports of publicly resolvable or accessible DNS records for internal hosts or infrastructure.
- Domain-based phishing, typosquatting, punycodes, bitflips, or other techniques.
- Violating any laws or breaching any agreements (or any reports of the same).
Reporting a vulnerability
We accept vulnerability reports via:
Be sure to include an email address where we can reach you in case we need more information. We take security issues seriously and will respond swiftly to fix verifiable security issues. Some parts of our product are complex and take time to update. When properly notified of legitimate issues, we will do our best to acknowledge your emailed report, assign resources to investigate the issue, and fix potential problems as quickly as possible.
We do not support PGP-encrypted emails at this time. For particularly sensitive information, please submit through our HTTPS web form.
What we would like to see from you
In order to help us triage and prioritize submissions, we recommend that your reports:
- Describe the vulnerability, where it was discovered, and the potential impact of exploitation.
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
- Be in English, if possible.
What you can expect from us
When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
- Within 7 business days, we will acknowledge that your report has been received.
- We will perform an initial assessment on the potential findings to determine accuracy, need for escalation and product team to work with. In this phase, you may:
- Receive requests for additional information, or
- Receive notification that the vulnerability is not accepted into the program because it does not meet the criteria of the program or provide sufficient detail. (You may respond to any notifications of non-acceptance by contacting firstname.lastname@example.org)
- We will develop a resolution and take appropriate action depending on the criticality scoring of the vulnerability.
- We will provide the researcher with public recognition if requested and if the report results in a publicly released fix or communication.
Where necessary or if we are unable to resolve communication issues or other problems, ATSI may bring in a neutral third party (such as CERT/CC, DHS-ICS-CERT, or the relevant regulator) to assist in determining how best to handle the vulnerability.
Note: Any information shared with ATSI may be used by ATSI in any manner determined appropriate by ATSI. Submitting any information will not create any rights for the submitter, nor will it create any obligations for ATSI.
ATSI does NOT offer compensation for vulnerabilities that are disclosed. We will, from time to time, say thank you for new and interesting reports in our thanks section of this page. Please note however that providing a report does not guarantee a credit.