Details

No technology is perfect, and Alvosec believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy

OUR MAIN GOAL IS TO PROTECT OUR SERVERS, SO ANY FOUNDED VULNERABILITY OR MISCONFIGURATION THAT CAN LEAD TO DISCLOSURE OF SENSITIVE DATA SHOULD BE REPORTED HERE.

Which type of attacks are allowed to preform on our system:

bypassing firewall rules
privilege escalation of MySQL, SSH, mail server or any other service which is running on the server
SSL attack
DNS attack
zero day exploit
data leaking

(Don't use Nessus or OpenVAS, try to preform manual pentest)

OUR SECOND GOAL IS TO KEEP OUR WEBSITE SAFE AS MUCH AS POSSIBLE. Type of attacks:
OWASP TOP 10
Pentest is allowed to perform only on alvosec.com + including all subdomains that are in scope.

Out of Scope

Also, the following do not quality:

DoS, brute force, user enumeration or DDoS attacks
Banner or version disclosures.
HSTS or CSP headers
Missing SPF
Missing cookie flags on non-security sensitive cookies
User enumeration
Host header injection
Presence of autocomplete attribute on web forms
Disclosure of known public files or directories, (e.g. robots.txt)
Open ports without a vulnerability
Missing captcha
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Exclusions

AVOID USING AUTOMATED TOOLS (SCANNERS ETC.) THAT ARE MAKING HUGE LOAD ON SERVERS.

While researching, we'd like to ask you to refrain from:

Denial of service
Spamming
Social engineering (including phishing) of Alvosec staff or contractors
Any physical attempts against Alvosec property or data centers
Creating social media accounts by using our name

Thank you for helping keep Alvosec and our users safe!

Disclosure Policy

OUR MAIN GOAL IS TO PROTECT OUR SERVERS, SO ANY FOUNDED VULNERABILITY OR MISCONFIGURATION THAT CAN LEAD TO DISCLOSURE OF SENSITIVE DATA SHOULD BE REPORTED HERE.

Which type of attacks are allowed to preform on our system:

bypassing firewall rules

privilege escalation of MySQL, SSH, mail server or any other service which is running on the server

SSL attack

DNS attack

zero day exploit

data leaking

(Don't use Nessus or OpenVAS, try to preform manual pentest)

OUR SECOND GOAL IS TO KEEP OUR WEBSITE SAFE AS MUCH AS POSSIBLE. Type of attacks:

OWASP TOP 10

Pentest is allowed to perform only on alvosec.com + including all subdomains that are in scope.

Out of Scope

Also, the following do not quality:

DoS, brute force, user enumeration or DDoS attacks

Banner or version disclosures.

HSTS or CSP headers

Missing SPF

Missing cookie flags on non-security sensitive cookies

User enumeration

Host header injection

Presence of autocomplete attribute on web forms

Disclosure of known public files or directories, (e.g. robots.txt)

Open ports without a vulnerability

Missing captcha

Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.

Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Exclusions

AVOID USING AUTOMATED TOOLS (SCANNERS ETC.) THAT ARE MAKING HUGE LOAD ON SERVERS.

While researching, we'd like to ask you to refrain from:

Denial of service

Spamming

Social engineering (including phishing) of Alvosec staff or contractors

Any physical attempts against Alvosec property or data centers

Creating social media accounts by using our name

Thank you for helping keep Alvosec and our users safe!