Responsible Disclosure Policy

Responsible Disclosure Policy
1.1 Submission Process
All discovered vulnerabilities shall be submitted to [email protected]
Augmentt shall acknowledge vulnerability submission by responding to the sender’s initial email address within 3-5 business days
Augmentt shall not reward or acknowledge any vulnerabilities if:
The vulnerability has already been publicly disclosed
The vulnerability hunting has caused any incidents to Augmentt’s services or its infrastructure
The vulnerability represents an informational or low impact severity for Augmentt’s business activities
1.2 Assessment Methodology
All discovered and disclosed vulnerabilities shall be confirmed, assessed, and assigned a risk level
Assessment methodology shall be the following:
Risk Factors

Each finding is assigned two factors to measure its risk. Factors are measured on a scale of 1 (very low) through 5 (very high). This follows the OWASP Risk Rating Methodology.

Impact

Indicates the finding’s effect on technical and business operations. It covers aspects such as the confidentiality, integrity, and availability of data or systems; and financial or reputational loss.
Likelihood

Indicates the finding’s potential for exploitation. It considers aspects such as the skill level required of an attacker and relative ease of exploitation.
Severity Definitions

Findings are grouped into four severity levels based on their risk as calculated by their business impact and likelihood of occurrence, risk = impact * likelihood.
Risk Level Description Reward assessment
High Vulnerabilities with a high or greater business impact and high or greater likelihood are considered High severity. In case of exploitation, this type of vulnerability may severely impact business activities and operations. The highest tier of reward.
Moderate Vulnerabilities with a medium business impact and likelihood are considered Medium severity. This also includes vulnerabilities that have either very high business impact combined with a low likelihood or have a low business impact combined with a very high likelihood Regular reward rate
Low Vulnerabilities that have either a very low business impact, maximum high likelihood, or very low likelihood, maximum high business impact, are considered Low severity. Also, vulnerabilities where both business impact and likelihood are low are considered Low severity. Discretionary reward rate
Informational Know vulnerabilities are acknowledged but aren’t assigned a risk level.
1.3 Excluded Submission Types
Some submission types are excluded because they are dangerous to assess, or because they haven’t met the submission criteria. These findings will be immediately marked as invalid, and are not rewardable:

Findings from physical testing such as office access (e.g. open doors, tailgating).
Findings derived primarily from social engineering (e.g. phishing, vishing).
Functional, UI, and UX bugs and spelling mistakes.
Denial of Service (DoS/DDoS) vulnerabilities.
We determine bounty eligibility at our sole discretion based on a variety of factors, including (but not limited to) impact, risk, data exposure, ease of exploitation, and quality of the report. Our bounty awards vary by the classification of the issue. While we do not disclose the payout, we do offer a $ bounty for Medium and High Risk disclosures.

In the event of duplicate reports, we award a bounty to the first person to submit an issue meeting the eligibility requirements. Note that vulnerabilities reported in 3rd party systems/services are not eligible under our bug bounty program although we encourage you to report them.

Rules
Rules For You:

Don’t maliciously attempt to leverage the reported vulnerability
Don’t perform any attack that could harm the reliability/integrity of our services or data
Don’t publicly disclose a security vulnerability before it has been fixed
You cannot be an Augmentt employee or a contractor employed by Augmentt
Rules for Us:

We will respond as quickly as possible to your submission
We will pay the eligible bounty upon validation of the vulnerability by our security team
We will keep you updated as we work to mitigate the vulnerability you submitted

Augmentt is a centralized SaaS security platform built for MSPs to deliver scalable managed security services for Microsoft and cloud apps. Our multi-tenant platform gives you visibility across all your end-users to easily audit, protect and detect security threats for a holistic approach to cyber security.