HomeResponsible Disclosure Policy | Augmentt

Responsible Disclosure Policy

1.1 Submission Process
  1. All discovered vulnerabilities shall be submitted to [email protected]
  2. Augmentt shall acknowledge vulnerability submission by responding to the sender’s initial email address within 3-5 business days
  3. Augmentt shall not reward or acknowledge any vulnerabilities if:
    1. The vulnerability has already been publicly disclosed
    2. The vulnerability hunting has caused any incidents to Augmentt’s services or its infrastructure
    3. The vulnerability represents an informational or low impact severity for Augmentt’s business activities
1.2 Assessment Methodology
  1. All discovered and disclosed vulnerabilities shall be confirmed, assessed, and assigned a risk level
  2. Assessment methodology shall be the following:

Risk Factors

Each finding is assigned two factors to measure its risk. Factors are measured on a scale of 1 (very low) through 5 (very high). This follows the OWASP Risk Rating Methodology.

Impact

  • Indicates the finding’s effect on technical and business operations. It covers aspects such as the confidentiality, integrity, and availability of data or systems; and financial or reputational loss.

Likelihood

  • Indicates the finding’s potential for exploitation. It considers aspects such as the skill level required of an attacker and relative ease of exploitation.

Severity Definitions

  • Findings are grouped into four severity levels based on their risk as calculated by their business impact and likelihood of occurrence, risk = impact * likelihood.
Risk Level Description Reward assessment
High Vulnerabilities with a high or greater business impact and high or greater likelihood are considered High severity. In case of exploitation, this type of vulnerability may severely impact business activities and operations. The highest tier of reward.
Moderate Vulnerabilities with a medium business impact and likelihood are considered Medium severity. This also includes vulnerabilities that have either very high business impact combined with a low likelihood or have a low business impact combined with a very high likelihood Regular reward rate
Low Vulnerabilities that have either a very low business impact, maximum high likelihood, or very low likelihood, maximum high business impact, are considered Low severity. Also, vulnerabilities where both business impact and likelihood are low are considered Low severity. Discretionary reward rate
Informational Know vulnerabilities are acknowledged but aren’t assigned a risk level.
1.3 Excluded Submission Types

Some submission types are excluded because they are dangerous to assess, or because they haven’t met the submission criteria. These findings will be immediately marked as invalid, and are not rewardable:

  • Findings from physical testing such as office access (e.g. open doors, tailgating).
  • Findings derived primarily from social engineering (e.g. phishing, vishing).
  • Functional, UI, and UX bugs and spelling mistakes.
  • Denial of Service (DoS/DDoS) vulnerabilities.

We determine bounty eligibility at our sole discretion based on a variety of factors, including (but not limited to) impact, risk, data exposure, ease of exploitation, and quality of the report. Our bounty awards vary by the classification of the issue. While we do not disclose the payout, we do offer a $ bounty for Medium and High Risk disclosures.

In the event of duplicate reports, we award a bounty to the first person to submit an issue meeting the eligibility requirements. Note that vulnerabilities reported in 3rd party systems/services are not eligible under our bug bounty program although we encourage you to report them.

Rules

Rules For You:

  • Don’t maliciously attempt to leverage the reported vulnerability
  • Don’t perform any attack that could harm the reliability/integrity of our services or data
  • Don’t publicly disclose a security vulnerability before it has been fixed
  • You cannot be an Augmentt employee or a contractor employed by Augmentt

Rules for Us:

  • We will respond as quickly as possible to your submission
  • We will pay the eligible bounty upon validation of the vulnerability by our security team
  • We will keep you updated as we work to mitigate the vulnerability you submitted
Subscribe

Want to stay informed on Augmentt’s progress? Please sign up for our regular updates. We won’t spam you, we promise!

[contact-form-7 id=”2641″ title=”Newsletter footer form”]
Contact:

Telephone: 888-670-8444
Fax: 647-372-0393

450 March Rd – Unit 102
Kanata, Ontario, Canada
K2K 3K2

Contact:

888-670-8444
450 March Rd.
Unit 102
Kanata, Ontario
K2K 3K2
(fax) 647-372-0393

Subscribe

If you wish to receive our latest news in your email box, just subscribe to our newsletter. We won’t spam you, we promise!

[contact-form-7 id=”2639″ title=”Newsletter footer form”]

Copyright 2022. Augmentt Technology Inc.  All rights reserved.