Responsible Disclosure Policy
Last updated: November 2024
NEW REPORT: Top Trends in Culture Technology
NEW REPORT: Top Trends in Culture Technology
Last updated: November 2024
At Axiell Group, we take the security of our systems seriously, and we value the ongoing efforts of the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our End-users.
This Responsible Disclosure Policy (the “Policy”) applies to the Axiell Group of companies (hereafter collectively referred to as “Axiell”). It outlines the steps to be followed by persons visiting, exploring and/or using any of Axiell’s websites, including mobile applications, dashboards and portals (the “Axiell Systems”) upon encountering a security vulnerability or weakness.
Please note that whilst we are appreciative of any disclosure made to us relating to a potential security vulnerability or weakness, we do not currently offer any bug bounty program which entitles the security researcher to claim any payment or reward for their efforts and for reporting the security vulnerability.
If you believe you have identified a potential security vulnerability in an Axiell System, kindly report your findings promptly to Axiell by emailing us at infosec@axiell.com. Please include the following details with your report: a description of the location and potential impact of the vulnerability; a detailed description of the steps required to reproduce or validate the vulnerability (proof of concept, scripts, and screenshots are helpful); your name/handle and a link to contact you; and make the report in English, if possible.
Notwithstanding any other requirements under applicable laws, we require that all security researchers: keep information about any vulnerabilities you’ve discovered confidential between yourself and Axiell until we’ve had at least 90 days from the date we have acknowledged your report to resolve the issue; and make every effort to avoid violating privacy in the country you are based, destroying data (including personal data), interrupting or degrading the Axiell Systems and/or causing a degradation of End-user experience.
In the interest of the safety of our Clients, End-users, employees and you as a security researcher, the following is excluded from the scope of any testing: modifying or accessing data (including personal data) that does not belong to you; initiating a network level distributed denial-of-service (DDoS) attack i.e. a malicious attempt to disrupt the normal traffic of the Axiell Systems by overwhelming our infrastructure with a flood of internet traffic; spamming the Axiell Systems; findings derived from social engineering or phishing of Axiell, our employees, contractors and other affiliates; any non-technical vulnerability testing; information concerning UI and UX bugs, and spelling mistakes; conducting any attacks against Axiell’s physical property or data centres, including findings from physical testing such as office access (e.g. open doors, tailgating etc.); and/or submitting a high volume of low-quality reports.
When you share a security vulnerability report and your contact information with Axiell, we commit in good faith to coordinate with you as openly and as quickly as reasonably possible to: acknowledge that your report has been received; and confirm the existence of the vulnerability and to be as transparent as we may reasonably be (whilst protecting the interests of our business) about what steps Axiell is taking to remediate the issue, including any challenges that may delay our resolution of the issue.
Whilst we are committed to continually improving the Axiell Systems and addressing any vulnerabilities identified, any findings that may relate to our testing environments (i.e., our sandbox and/or other test systems) will be treated as low priority. We will not provide details of a timeline to resolve such issues.
For any questions or comments concerning this Policy, please contact us.