Reporting Security Vulnerabilities to Adoptech

At Adoptech, safeguarding our services and ensuring data security is our top priority. If you’re a security researcher who has identified a security flaw in our Services, we appreciate your assistance in responsibly disclosing it to us.

Our responsible disclosure process is managed through HackerOne’s Vulnerability Disclosure Program (VDP). To report a vulnerability, please use the submission form at the bottom of this page.

Please note that only vulnerabilities submitted via HackerOne’s program will be considered for a reward. If you’ve previously responsibly disclosed a vulnerability to us, we extend our gratitude to you.

When reporting a vulnerability, please provide a detailed description of the attack scenario, exploitability level, impact on Adoptech and/or its customers, and a comprehensive report with reproducible steps. Incomplete reports that do not allow us to replicate the issue will not be eligible for a reward.

The following are the HackerOne program rules for responsible disclosure:

• Accessing any customer data is always strictly prohibited.
• Accessing any Adoptech internal data is always strictly prohibited.
• Submit only one vulnerability at a time unless vulnerabilities are chained together to demonstrate impact.
• When duplicate submissions occur, we award only the first reproducible report received.
• Multiple vulnerabilities having a single underlying root cause will be awarded singularly.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Privacy violations, destruction of data, and interruption of degradation of our service must be avoided. You must only use accounts you own or have the explicit permission of the account owner.
• Results matching findings from SSL/TLS testing sites, Security Score sites, or similar will not be eligible for bounty.

Exclusions

Known vulnerabilities are eligible for reward and may be marked as duplicates if the root cause aligns too closely with an already reported issue.

The following issues are considered out of scope:

• Any activity that could lead to the disruption of our service (DoS).
• Clickjacking on pages with no sensitive actions.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Previously known vulnerable libraries without a working Proof of Concept.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
• Missing best practices in Content Security Policy.
• Missing email best practices (for example, invalid, incomplete or missing SPF/DKIM/DMARC records).
• Vulnerabilities affecting users of outdated or unpatched browsers.
• Public Zero-day vulnerabilities that have had an official patch available for less than 1 month will be awarded on a case-by-case basis.
• Open redirect (without additional security impact demonstrated).

Contact

If you have any questions or suggestions feel free to contact us at [email protected]