No technology is perfect, and Athento believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Current conditions apply to bugs reported from 1st February 2020.
- Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
- Rewards may take up to 30 days to be received. We will try to do it as fast as possible.
- Only the first report of a bug will get the reward. If needed, we will report who and when was the bug reported the first time.
- Please, do not report vulnerabilities of external tools, such as Zendesk, Github, Asana, etc.
- If you detect a bug that is generic to the app, please, avoid reporting on each form or each URL. Report the generic bug and if, after the fix, you find it in other resources, you can report it separately.
- Security recommendations will only be rewarded if they are applicable to our case. General recommendations that make no sense for our product or business may not be accepted. Please, avoid too basic recommendations such as “implement 2FA” or “use https”.
- Please, avoid reporting bugs that you “thing” that may exist. Report bugs that you can prove evidence that they exist. If no evidence is given, we will not be able to reward you about it.
While researching, we’d like to ask you to refrain from:
- Denial of service
- Social engineering (including phishing) of Athento staff or contractors
- Any physical attempts against Athento property or data centers
- Avoid reporting CSRF bugs for GET calls, when we use GET, we understand it is ‘safe-mode’, as explained in RFC7231.
These are the rewards that we consider:
- 100€ Small security issues (XSS, injections, CSRF and similar in private space).
- 250€ High-security issues that can cause a direct public attack (XSS, injections, CSRF and similar in public web page).
- 500€ Critical security issues (remote server access, direct data access, etc.)
For any other small bug, security recommendations or bugs reported outside app4.athento.com, the reward is 50€.
- Analysis should be done preferably on app4.athento.com. If you plan to run an analysis on other resources, please, ask first.
- If you find a bug, the same bug should not be reported again (e.g. in a different form of the application) until we announce the fix.
- Vulnerability details with a proposed solution should be sent to firstname.lastname@example.org
Thank you for helping keep Athento and our users safe!
Previously reported bugs
These are the bugs that others have reported previously:
- 0319-1. Password guessing authentication vulnerability (Brute Force). Fixed.
- 0319-2. Stored XSS in several forms. Fixed.
- 0919-1. Stored XSS in several forms after the upgrade of UI. Fixed.
- 2020-1. Low level for captcha in remember password page.
- 2020-2. Image information not removed in avatar and logo images. Fixed for newly loaded images.
- 2020-3. Store XSS applies in “Insights” page. Fixed.
- 2020-4. Invalid SPF on athento.com domain. Fixed.
- 2020-5. Verification of user after sign up. Fixed.
- 2020-6. CAA DNS misconfiguration. Fixed.
- 2020-7. Stored XSS in metadata forms. Fixed.
- 2020-8. https is not used in a specific url. N/A.
- 2020-9. Possible external redirect on param requestURL. N/A.
- 2020-10. Clickjacking in Nuxeo. N/A.
- 2020-11. Token password expiration too long. N/A.
We want to thank especially for their professional collaboration to:
Fahimul Kabir Lemon
Owais Ahmed Siddiqui