Vulnerability Disclosure Policy

IT security is an ongoing process that we take very seriously. Therefore, we recognize the work of the wider security community and support the reporting of potential security vulnerabilities in a coordinated, constructive and transparent manner. This enables us to continuously provide our clients with better and safer services.

Range

This policy applies to the domains and subdomains of Aliter Technologies a.s.:

Exceptions to the scope

Security testing and reporting of vulnerabilities falling into these areas is outside the relevant scope:

  • social engineering (e.g. phishing),

  • denial of service,

  • brute force attacks,attacks beyond checking the existence of a vulnerability (do not compromise or obtain data, do not change system and application settings, do not create a persistent presence, do not continue attacks to other systems),

  • attacks related to non-updated and unsupported SW versions,

  • vulnerabilities without demonstrable exploitability or impact (e.g. authentication is required)

  • vulnerabilities of low severity (e.g. clickjacking, autocomplete web forms, SSL/TLS ciphers, revealing SW versions, missing HTTP headers, email security techniques – SPF, DKIM, DMARC, etc.),

  • recommendations for optimizing settings.

How can you report a security vulnerability?

If you discover a security vulnerability in our system or product, please report it to us as soon as possible. Just send an email to vulnerability@aliter.com.

Please encrypt your message and its attachments with our PGP public key

Please provide the following information in the report:

  • a detailed description of the vulnerability,

  • the time and method of discovery of the vulnerability,

  • a specificatiion of the system or product where the vulnerability was discovered.

  • the steps necessary to reproduce the vulnerability,

  • any other related information (code samples, log entries, screenshots, etc.).

How do we address security vulnerabilities?

We will review the reported cases within 5 working days and let you know our opinion. We will keep you informed of the process and provide an estimated time to fix the issue.

Legal opinion

Aliter Technologies declares that it will not take legal action against whistleblowers who report vulnerabilities in accordance with this policy.

We will process the information provided by the whistleblower in a confidential manner and will not disclose his/her personal data to third parties without his/her permission. We do not provide any financial reward for the reporting of vulnerabilities, but as a token of appreciation we may publish the whistleblower's name on our website and present his/her contribution if the whistleblower agrees.

Security Vulnerability Whistleblower Hall of Fame