Security
Introduction
We value the contributions of the security research community and recognize the importance of a coordinated approach to vulnerability disclosure. If you have discovered a security vulnerability, we encourage you to let us know immediately. We welcome the opportunity to work with you to resolve the issue promptly.
Guidelines for reporting a vulnerability
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
- Social engineering (e.g., phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
- Only interact with accounts you own or with explicit permission of the account holder.
What do we expect from you?
- Submit your reports in English.
- Always follow our Responsible disclosure guidelines.
- Ensure your report contains the following aspects:
- Type of issue
- Digital product, version, and configuration of software containing the bug
- Step-by-step instructions to reproduce the issue
- Proof-of-concept
- Impact of the issue
- Suggested mitigation or remediation actions, as appropriate.
What can you expect from us?
- Acknowledgment: Acknowledge receipt of your vulnerability report within [5] business days.
- Investigation: Conduct a thorough investigation and work with you to understand the issue.
- Resolution: Address the vulnerability in a timely manner and provide an estimated timeline for remediation.
Safe Harbor
We will not pursue legal action against researchers who identify and report vulnerabilities in accordance with these vulnerability disclosure guidelines. Adhering to the rules of engagement outlined on this page is crucial. Your research activities must avoid violating user privacy, disrupting services, or accessing data beyond what is necessary to demonstrate the vulnerability. We also commit to not sharing your personal information without your consent, unless required by law. Thank you for helping us maintain the security of our systems.
Thank you for helping keep ADAMnetworks and our users safe!
Scope of reward program
We will accept submissions in any asset owned and operated by ADAMnetworks.
However to qualify for a reward the scope of our program includes the following assets.
We strive to reward any reports that result in a change on our end.
- Public marketing web site
<adamnet.works>
- ADAMnetworks Client Dashboard
<dashboard.adamnet.works>
- adam:ONE package
- - anmuscle
- - anckg
- - installer (platform specific)
Vulnerability Disclosure Program