No technology is perfect, and Athento believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
- Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
While researching, we’d like to ask you to refrain from:
- Denial of service
- Social engineering (including phishing) of Athento staff or contractors
- Any physical attempts against Athento property or data centers
- 250€ High-security issues that can cause a direct attack (CSRF, XSS, injections, etc.)
- 500€ Critical security issues (remote server access, direct data access, etc.)
- Analysis should be done preferably on app4.athento.com
- If you find a bug, the same bug should not be reported again (e.g. in a different form of the application) until we announce the fix.
- Vulnerability details with a proposed solution should be sent to email@example.com
Thank you for helping keep Athento and our users safe!
Previously reported bugs
These are the bugs that others have reported previously:
- 0319-1. Password guessing authentication vulnerability (Brute Force). Fixed.
- 0319-2. Stored XSS in several forms. Fixed.
- 0919-1. Stored XSS in several forms after upgrade of UI.