Aven (Response)

Note: This is a Responsible Disclosure Program. If you need Aven customer support, please visit Customer Service.

#Responsible Disclosure Program Aven is proactively working with the security community to identify new threats and help ensure the safety of customer accounts and information. Because threats to our corporate environment and customer assets are ever present, we also value the important role the security community plays in helping us mitigate information security risk. If you have information about possible security vulnerabilities in any Aven product or service, please submit a report using these guidelines.

#Guidelines

• Your report must meet all of HackerOne’s Vulnerability Disclosure Guidelines.
• When reporting vulnerabilities, consider (1) the attack scenario or exploitability, and (2) the security impact of the bug.
• Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
• Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
• Provide details with reproducible steps in your report.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Comply with applicable federal, state, local, and international laws in connection with your participation in this vulnerability disclosure program.
• We may modify the terms of this policy or terminate the policy at any time.

#By Submitting a Report

• You represent you are not a person on, or working on behalf of a party identified on, any restricted party list maintained by the United States government.
• You consent to your information being stored and transferred to the United States and acknowledge you have read and accepted the terms of this policy and HackerOne’s Vulnerability Disclosure Guidelines.
• You agree not to disclose vulnerability details to anyone other than Aven without Aven’s written permission.
• You agree that any Aven information that you may encounter, view, acquire, or access, is owned by Aven or its customers, clients, or third party providers. You have no rights, title, or ownership in any such information.
• You agree that your research will be conducted for testing and research purposes only, and that you will not attempt to gain access to customer or user accounts or confidential information and will only interact with accounts you own.

#Scope Domains where Aven is listed as the Registrant Organization, Admin Organization, or Tech Organization are in scope. Not sure what’s in scope? Send an email to support[at]hackerone.com. Vulnerabilities typically in scope include items from the OWASP Top 10 and vulnerabilities with a confirmed security impact. We reserve the right to determine whether to accept a report. For example, we may not accept:

• A report on a vulnerability with little security impact or exploitability
• A vulnerability outside our control
• A vulnerability discoverable through automated scans that have not been verified manually
• A report of a vulnerability resulting from a violation of the program guidelines

Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program. These include:

• Clickjacking on pages with no sensitive actions
• Unauthenticated/logout/login CSRF
• Insecure Cookie Settings on non-sensitive cookies
• Bugs requiring inordinate amounts of user interaction or prior knowledge of user secrets such as session tokens or CSRF values
• Information regarding software versions or web server versions/banners where there is no evidence these versions are impacted by a security flaw
• Attacks requiring MITM or physical access to a user's device
• Previously known vulnerable libraries without a working Proof of Concept
• Comma Separated Values (CSV) injection without demonstrating a vulnerability
• Missing best practices in SSL/TLS configuration
• Any activity that could lead to the disruption of our service (DoS)
• Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS
• Missing best practices in Content Security Policy.
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
• Social engineering (e.g. phishing, vishing, smishing) is prohibited
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
• Do not test the physical security of Aven property

#What You Can Expect From Us We take every disclosure seriously. We will investigate every disclosure and strive to ensure that appropriate steps are taken to mitigate risk and remediate all reported vulnerabilities. Aven remains committed to coordinating with the security researcher transparently and promptly. This includes taking the following actions:

• Within two business days, Aven will acknowledge receipt of your report. Aven’s security team will investigate the report and may contact you for further information.
• When practicable and authorized, Aven will confirm the existence of the vulnerability to the researcher and keep the researcher informed, as appropriate, while remediation of the vulnerability is under way.

Thank you for helping keep Aven and our users safe!