Responsible Disclosure Program
Allied Solutions, LLC is committed to maintaining the security of our systems and our customers’ information.
This policy applies to security researchers interested in reporting security vulnerabilities. If you have reported an issue determined to be within program scope, is determined to be a valid security issue, and you have followed program guidelines, Allied Solutions, LLC will recognize your finding and you will be allowed to disclose the vulnerability after a fix has been issued.
Vulnerabilities in hardware and software owned and operated by Allied Solutions, LLC with demonstrated impact to include:
- OWASP Top 10 vulnerabilities in web applications
- Infrastructure vulnerabilities
- Other vulnerabilities with demonstrated impact
Out of Scope
Vulnerabilities in hardware and software either not owned and operated by Allied Solutions, LLC or without demonstrated impact to include:
- Theoretical vulnerabilities
- Vulnerabilities which provide informational disclosure of non-sensitive information
- Vulnerabilities without demonstrable impact
- Vulnerabilities in third party systems
The following types of tests are considered out of scope:
- Denial of Service (DoS) tests
- Physical security testing, e.g., office access, tailgating
- Social engineering
- Intentionally and/or potentially disruptive tests, e.g., DNS spoofing
- Functionality bugs, clickjacking, and spoofing email
Handling Consumer Information
If you uncover any of the following types of information during testing, stop testing and notify us immediately:
- Personally identifiable information, e.g., Social Security Numbers, driver’s license numbers
- Financial information, e.g., bank account numbers
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, will work with you to understand and resolve the issue quickly, and Allied Solutions, LLC will not initiate or recommend legal action related to your research.
When conducting vulnerability research according to the guidelines and scope of this policy, we consider this research to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
- Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls; and
- Exempt from restrictions in any software Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us through one of the channels in the "Reporting a vulnerability" section before going any further.
Reporting a Vulnerability
Submit a vulnerability report to firstname.lastname@example.org. This report should contain the following:
- A description of the vulnerability and affected assets
- A detailed description of the steps to exploit the vulnerability or otherwise reproduce the issue including proof-of-concept code and screenshots
- Any other technical information germane to the vulnerability
We encourage the use of encryption during the disclosure process. Use the following PGP key to protect the submitted information.
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----
Allied Solutions, LLC believes that the information disclosed is valuable to the public and expect that a security researcher would desire to disclose their work publicly. Doing so in a coordinated manner is crucial to the overall security posture of the Internet.
You can expect that our team will adhere to the following:
- We will acknowledge receipt of disclosure within seven (7) business days
- We will work with you to understand the vulnerability, its impact, and potential resolutions.
- We will provide you with periodic updates on our progress.
As a security professional working within a responsible disclosure policy, we expect you to adhere to the following:
- Do not disclose information relating to the vulnerability to any third party until either
- The vulnerability is remediated; or
- 90 days have elapsed from the date of disclosure.
- Coordinate your public disclosure with our team to ensure you are not releasing sensitive information.