web analytics

Responsible Disclosure

Reporting weaknesses in our IT systems

We work hard every day to maintain and improve our systems and processes so that our customers can use our products and services safely online at all times. However, should you find a weakness in one of our IT systems, we would appreciate your help.

Reporting

What you can report

You can report any number of weaknesses in our IT systems. If you spot a weakness, please contact us as soon as possible. Examples are:

  • AWS credential exposure or account access vulnerabilities
  •  Lambda function related or execution vulnerabilities due to any code-level issues under the control of SLAppForge

What you should not report

  1. DMARC / SPF / DKIM related issues reported against our domains, that are not used for email
  2. Any issues against the public website as2gateway.com - such as Click jacking, Prototype pollution, CSRF etc. The public website is different from our real applications.
  3. Browser compatibility or issues, weak encryption etc, as we use Amazon CloudFront as our CDN

How to report a weakness

You can report weaknesses to us by email to responsible.disclosure@slappforge.com. State concisely in your email what weakness(es) you have found. We will take appropriate action based on the severity. Our security experts will investigate your report and will reply back to you if we require more information.

Reporting an issue by any other means (e.g to other email addresses designated for business use such as but not limited to info@slappforge.com etc) will not be considered, as our administration staff who reads such email will mark them as spam and/or block your email address from reaching us again.

No Monetary rewards for unsolicited reports

Please note that due to a recent increase in reports of issues of a very minor nature, we are compelled to ignore reports we do not consider to be serious. To avoid a waste of both your time and ours, we request that you first email us a profile of yours (including references to any previous issues found) and any vulnerabilities that you wish to test. Only proceed with any investigations if you receive a confirmation reply from us to proceed. To request for permission to proceed, please email your profile to vulnerability.testing.request@slappforge.com

Please be aware that you will not be eligible for any monetary reward, unless you have obtained prior approval to proceed with any testing.

Rules

Observe the rules

If you discover a weakness and investigate it, you might perform actions that are punishable by law. If you observe the rules for reporting weaknesses in our IT systems, we will not report your offense to the authorities.

It is important for you to know, however, that the public prosecutor’s office, not SLAppForge will decide whether or not you will be prosecuted, regardless of whether we report your offense to the authorities. We cannot promise that you will not be prosecuted if you commit a punishable offense when investigating a weakness.

Rules

Take responsibility and act with extreme care and caution. When investigating the matter, only use methods or techniques that are necessary in order to find or demonstrate the weaknesses.

  • Do not use weaknesses you discover for purposes other than your own investigation.
  • Do not use social engineering to gain access to a system.
  • Do not install any back doors – not even to demonstrate the vulnerability of a system. Back doors will weaken the system’s security.
  • Do not alter or delete any information in the system. If you need to copy information for your investigation, never copy more than you need. If one record is sufficient, do not go any further.
  • Do not alter the system in any way.
  • Only infiltrate a system if absolutely necessary. If you do manage to infiltrate a system, do not share access with others.
  • Do not use brute force techniques, such as repeatedly entering passwords, to gain access to systems.

Frequently-asked questions