We operate a policy of responsible disclosure whereby we work closely with security researchers to ensure any potential vulnerabilities submitted to us are reviewed and remediated as soon as possible.
If you believe you have identified a security vulnerability in one of our products, services, applications or systems, then we would love to work with you to fix it as quickly as possible.
When to report a security vulnerability?
If you think you have identified a security vulnerability that affects Algbra systems and/or customers then you should submit a report as soon as possible.
We request that all researchers follow the straight forward guidelines below:
- Do not publicise the vulnerability without our explicit approval
- Do not access customer or employee personal information or any Algbra confidential information. If you accidentally access any of these, please stop testing and submit your report immediately.
- Stop testing and report the issue immediately if you gain access to any nonpublic application or non-public credentials.
- Do not degrade the Algbra Platform (e.g., Denial of Service), customer experience, disrupt production systems, or destroy data during your research.
- Do not run automated vulnerability scans - we have the capability to do this ourselves.
What information should you provide in the report?
The more information you are able to provide, the faster we will be able to respond and remediate ant potential vulnerabilities.
The below information is a loose template we ask researchers to follow when reporting vulnerabilities:
- Your name
- Date and time of discovery
- Your number, if you are comfortable providing it
- Technical details of the vulnerability
- Raw HTTP requests and responses where appropriate. Any timestamps that would help us correlate logs would be useful
- Clear and concise step-by-step guide to allow for validation. Attach any screenshots or videos to the email or via a private storage account. Do not upload any attachments to public storage websites
Reports that are out of scope and that are unlikely to facilitate a response:
- Reports that are not actual security vulnerabilities (e.g., forgetting your password is not a security vulnerability)
- Spamming, social engineering, or phishing attacks
- Accessible, non-sensitive files or directories (e.g., README.txt, robots.txt, etc)
- Fingerprinting / banner / version disclosure of common applications and/or services
- Username / email enumeration by bruteforcing or by inference of certain error messages - except in exceptional circumstances such as the ability to enumerate phone numbers by incrementing a variable
Now that you’ve read the above, here’s how you can contact us:
Send through your report to firstname.lastname@example.org