Reporting weaknesses in our IT systems
We work hard every day to maintain and improve our systems and processes so that our customers can use our products and services safely online at all times. However, should you find a weakness in one of our IT systems, we would appreciate your help.
What you can report
You can report any number of weaknesses in our IT systems. If you spot a weakness, please contact us as soon as possible. Examples are:
- AWS credential exposure or account access vulnerabilities
- Lambda function related or execution vulnerabilities due to any code-level issues under the control of SLAppForge
What you should not report
- DMARC / SPF / DKIM related issues reported against our domains, that are not used for email
- Any issues against the public website as2gateway.com - such as Click jacking, Prototype pollution, CSRF etc. The public website is different from our real applications.
- Browser compatibility or issues, weak encryption etc, as we use Amazon CloudFront as our CDN
How to report a weakness
You can report weaknesses to us by email to firstname.lastname@example.org. State concisely in your email what weakness(es) you have found. We will take appropriate action based on the severity. Our security experts will investigate your report and will reply back to you if we require more information.
Reporting an issue by any other means (e.g to other email addresses designated for business use such as but not limited to email@example.com etc) will not be considered, as our administration staff who reads such email will mark them as spam and/or block your email address from reaching us again.
No Monetary rewards for unsolicited reports
Please note that due to a recent increase in reports of issues of a very minor nature, we are compelled to ignore reports we do not consider to be serious. To avoid a waste of both your time and ours, we request that you first email us a profile of yours (including references to any previous issues found) and any vulnerabilities that you wish to test. Only proceed with any investigations if you receive a confirmation reply from us to proceed. To request for permission to proceed, please email your profile to firstname.lastname@example.org
Please be aware that you will not be eligible for any monetary reward, unless you have obtained prior approval to proceed with any testing.
Observe the rules
If you discover a weakness and investigate it, you might perform actions that are punishable by law. If you observe the rules for reporting weaknesses in our IT systems, we will not report your offense to the authorities.
It is important for you to know, however, that the public prosecutor’s office, not SLAppForge will decide whether or not you will be prosecuted, regardless of whether we report your offense to the authorities. We cannot promise that you will not be prosecuted if you commit a punishable offense when investigating a weakness.
Take responsibility and act with extreme care and caution. When investigating the matter, only use methods or techniques that are necessary in order to find or demonstrate the weaknesses.
- Do not use weaknesses you discover for purposes other than your own investigation.
- Do not use social engineering to gain access to a system.
- Do not install any back doors – not even to demonstrate the vulnerability of a system. Back doors will weaken the system’s security.
- Do not alter or delete any information in the system. If you need to copy information for your investigation, never copy more than you need. If one record is sufficient, do not go any further.
- Do not alter the system in any way.
- Only infiltrate a system if absolutely necessary. If you do manage to infiltrate a system, do not share access with others.
- Do not use brute force techniques, such as repeatedly entering passwords, to gain access to systems.
You will be considered for a reward ONLY if you have obtained prior permission to perform vulnerability testing as described above.
As a policy we do not consider rewards for unsolicited reports.
If you received prior authorization to proceed, you might receive a reward – but we are not required to give you one. You are not necessarily entitled to compensation, especially if your investigation is unable to alter our internal systems or databases. The amount of the reward, if any, is not fixed in advance. SLAppForge Inc. determines the amount, based on the following:
- The caution taken in your investigation
- The quality of your report
- The amount of potential damages prevented as a result of your report
You will NOT receive a reward or reply, if you have not followed the instructions listed above. Especially if you do not use the proper email addresses to request for permission, and to disclose any vulnerabilities.
No. Under no circumstances should any weaknesses in our IT systems or your investigation be published without our prior written permission. Please note that as a policy we do not generally allow any such publication, even after an issue is resolved.
The email address email@example.com is not intended for the following:
- To submit complaints about SLAppForge Inc's products or services
- To submit questions or complaints about the availability of the website
- To report viruses
Yes, you can. You do not have to give us your name and contact details when you report a weakness.