No technology is perfect, and Athento believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Current conditions apply to bugs reported from 6th May 2020.

Disclosure Policy

• Let us know as soon as possible upon the discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue. 
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. 
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
• After a vulnerability is in scope and confirmed, rewards may take up to 45 days to be received. We will try to do it as fast as possible.
• Only the first report of a bug will get the reward. If needed, we will report who and when was the bug reported the first time.
• Please, do not report vulnerabilities of external tools, such as Zendesk, Github, Asana, etc.
• If you detect a bug that is generic to the app, please, avoid reporting on each form or each URL. Report the generic bug and if, after the fix, you find it in other resources, you can report it separately.
• Security recommendations will only be rewarded if they are applicable to our case. General recommendations that make no sense for our product or business may not be accepted. Please, avoid too basic recommendations such as “implement 2FA” or “use https”.
• Please, avoid reporting bugs that you “think” that may exist. Report bugs that you can prove evidence that they exist. If no evidence is given, we will not be able to reward you about it.

Exclusions 

While researching, we’d like to ask you to refrain from:

• Denial of service
• Spamming
• Social engineering (including phishing) of Athento staff or contractors. 
• Any physical attempts against Athento property or data centers
• Avoid reporting CSRF bugs for GET calls, when we use GET, we understand it is ‘safe-mode’, as explained in RFC7231.
• www.athento.com, rhombus.athento.com, and mastertables.athento.com are excluded for security issues with low impact (CSRF, XSS, etc.). Only report if you discover remote server access, direct access to sensitive data, remote code execution, etc. Anyway WordPress vulnerabilities are excluded from the scope.
• Issues regarding Jira or any other Atlassian tool.
• Subdomain takeover on Hubspot.

Out of scope vulnerabilities

The following finding types are specifically excluded:

• Vulnerabilities affecting users of outdated browsers or platforms
• Account brute force
• Account takeover via CSRF/OAUTH etc.
• Self-XSS
• Reflected-XSS
• Flash-based XSS
• Tabnabbing
• Email Spoof
• Session fixation
• Content Spoofing
• Missing cookie flags
• Best practices/issues
• HTML content injection
• Mixed content warnings
• Clickjacking/UI redressing
• HTTPS/SSL/TLS Related Issues
• Physical or social engineering attacks
• Reflected file download attacks (RFD)
• Sending “massive” mails to yourself.
• Issues that require unlikely user interaction
• Login/logout/unauthenticated/low-impact CSRF
• Unverified Results of automated tools or scanners
• No SPF/DMARC in non-email domains/subdomains
• SPF/DMARC when due to internal requirements, the configuration of DMARC is not “reject”.
• Attacks requiring MITM or physical access to a user’s device
• Issues related to networking protocols or industry standards
• Carriage Return Line Feed injection without direct impact (CRLF)
• Error information disclosure that cannot be used to make a direct attack
• Missing security-related HTTP headers which do not lead directly to a vulnerability
• Access or listing directories or resources that are considered public, such as listing a directory of public js, css, etc. libraries.
• Subdomain takeover if you are not able to really prove the takeover.
• Subdomain takeover for subdomains our tools that Athento is not interested in (Instagram, Facebook and others etc.)
• Cleaning of EXIF metadata for private documents or images.
• Increase or decrease rate limit when already exists.
• Any of the WordPress default configuration.

Rewards

These are the rewards that we consider:

• 30€ Small security issues (XSS, injections, CSRF and similar in private space or that may only affect the users that belong to your app team.).
• 200€ High-security issues that can cause a direct public attack (XSS, injections, CSRF and similar in the public access app page).
• 600€ Critical security issues (remote server access, direct data access, etc.)

For any other small bug, security recommendations or bugs reported outside app4.athento.com, bugs that have a very low probability of materialization, the reward is 20€. Even in domains differents from app4.athento.com, reports may not qualify due to being deprecated or any other reason that the security team will explain. We encourage to ask first if you are going to focus in domains different to app4.athento.com.

Any report for a given URL and some of its variant will be considered as ONE report.

Rewards will be sent using PayPal to email account used in report. Please, return invoice to acc at athento.com.

Other

•  Analysis should be done on app4.athento.com. If you plan to run an analysis on other resources, please, ask first.
• Please, in any case, ask before reporting on Nuxeo instances. Most of the reports may have already been reported or to be out of scope.
• If you find a bug, the same bug should not be reported again (e.g. in a different form of the application, or different instance) until we announce the fix.
•  Vulnerability details with a proposed solution should be sent to support@athento.com
• Private accounts for white or gray box analysis will only be allowed as Athento considers to avoid the overhead of reports.
• Please, report from the same email that you will use to receive the payment. Using a different email may produce delays in payments.
• After receiving the payment, please, send invoice to:
  Athento Europa S.L
  B92688365
  29590 Malaga – Spain

Thank you for helping keep Athento and our users safe!

Previously reported bugs

These are the bugs that others have reported previously:

1. 0319-1. Password guessing authentication vulnerability (Brute Force). Fixed.
2. 0319-2. Stored XSS in several forms. Fixed.
3. 0919-1. Stored XSS in several forms after the upgrade of UI. Fixed.
4. 2020-1. Low level for captcha in remember password page.
5. 2020-2. Image information not removed in avatar and logo images. Fixed for newly loaded images.
6. 2020-3. Store XSS applies in “Insights” page. Fixed.
7. 2020-4. Invalid SPF on athento.com domain. Fixed.
8. 2020-5. Verification of user after sign up. Fixed.
9. 2020-6. CAA DNS misconfiguration. Fixed.
10. 2020-7. Stored XSS in metadata forms. Fixed.
11. 2020-8. https is not used in a specific url. N/A.
12. 2020-9. Possible external redirect on param requestURL. N/A.
13. 2020-10. Clickjacking in Nuxeo. N/A.
14. 2020-11. Token password expiration too long. N/A.
15. 2020-12. DMARC configuration. I/P

Special thanks

We want to thank especially for their professional collaboration to:

Fahimul Kabir Lemon

Kunal Mashke

Owais Ahmed Siddiqui