keyboard_arrow_up

Bug Bounty Program

Bug Bounty Program


Secure Gateway®️ Engineering committed to working with security experts across the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you.

 
  
The Secure Gateway®️ Security Bug Bounty Program is designed to encourage security research in Secure Gateway®️ Technolgoy and to reward those who help us make the internet a safer place.

 

ALSCO recognizes the value external security researchers can bring to the security of Secure Gateway®️ Technology, and we welcome and seek to reward eligible contributions from security researchers, as outlined below. If you believe you have found a security vulnerability on Secure Gateway®️ Technology, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.

No technology is perfect, and ALSCO believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

# Disclosure Policy
-Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.

-Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

-Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

#Exclusions
While researching, we'd like to ask you to refrain from:
* Denial of service
* Spamming
* Social engineering (including phishing) of ALSCO staff or contractors
* Any physical attempts against ALSCO property or data centers

#Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

 

Out of Scope
-Spam or social engineering techniques.

-Denial-of-service attacks.

-Content injection. Posting content via Secure Gateway®️ is a core feature, and content injection (also "content spoofing" or "HTML injection") is out of scope unless you can clearly demonstrate a significant risk.

-Security issues in third-party apps or websites that integrate with Secure Gateway®️ , except in the specific circumstances.

-Executing scripts on sandboxed sub-domains (such as form.domain.com). Using alert(document.domain) in your payload can help verify if the context is actually *.domain.com.

False Positives
Open redirects. Any redirect using our "link" system is not an open redirect.

-Images pictures available publicly. all pages is always public.


-Note that public information also includes username, ID, control panel path, and anything shared publicly.

-Accessing photos via raw image URLs from Secure Gateway®️ CDN (Content Delivery Network).

-Case-insensitive passwords. We accept the "caps lock" version of a password or with the first character capitalized to avoid login problems.

 

Bug Bounty Program Scope
To be eligible for a bounty, you can report a security bug in SECURE GATEWAY®️ or one of the following qualifying products or acquisitions in the ALSCO family:

    SECURE GATEWAY®️
    WEB SECURE GATEWAY™
    CLoud SECURE GATEWAY™
    E-Mail SECURE GATEWAY™
    DataBase SECURE GATEWAY™


Bug Bounty Program Processes


We recognize and reward security researchers who help us keep people safe by reporting vulnerabilities in our products and services. Monetary bounties for such reports are entirely at ALSCO’s discretion, based on risk, impact, and other factors. To be considered for a bounty, you must meet the following requirements:

-Adhere to our Responsible Research and Disclosure Policy and Safe Harbor Provisions.

-Report a security bug: that is, identify a vulnerability in our services or infrastructure which creates a security or privacy risk. Report the vulnerability upon discovery or as soon as is feasible.

-Report a security bug involving one of the products or services that are within the scope of the program We specifically exclude certain types of potential security issues, listed under “Out of Scope” and “False Positives”.

-Submit your report to our E-Mail Address and respond to any follow-up requests from our staff for updates or further information. Please do not contact our staff directly or through other channels about a report.

-Use test domain when investigating issues. If you cannot reproduce an issue with a test domain, you can use a real domain you are authorized to use (except for automated testing). Do not use or interact with any real domain belonging to another agencies.


In turn, we will follow these guidelines when evaluating reports under our bug bounty program:

-We investigate and respond to all valid reports. Due to the volume of reports we receive, though, we prioritize evaluations based on risk and other factors, and it may take some time before you receive a reply.

-We determine bounty amounts based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report. If we pay a bounty, the minimum reward is $400. Note that extremely low-risk issues may not qualify for a bounty at all. Even if the issue you identify is low-risk in isolation, if your report leads us to discover higher-risk vulnerabilities, we may, at our sole discretion, pay an increased award.

-We seek to pay similar amounts for similar issues, but bounty amounts and qualifying issues may change with time. Past rewards do not necessarily guarantee similar results in the future.

-In the event of duplicate reports, we award a bounty to the first person to submit an issue. A given bounty is typically only paid to one individual. However, if a subsequent report on a previously evaluated issue reveals that a vulnerability still remains or is more serious than initially judged, we may pay a reward for the subsequent report and evaluate whether an additional reward is warranted for the initial entry.

-We verify that all bounty awards are permitted by applicable laws, including (but not limited to) US trade sanctions and economic restrictions.

 

Spotting Security & Privacy Issues

If you have discovered a vulnerability in Secure Gateway or ALSCO, or another serious security or privacy issue, please submit it to our bounty program hosted by HackerOne https://hackerone.com/alsco

 

 

 If you’ve found a vulnerability,  please contact us [email protected]

 



Thank you for helping keep ALSCO and our users safe!