Responsible Disclosure Policy
1.1 Submission Process
- All discovered vulnerabilities shall be submitted to email@example.com
- Augmentt shall acknowledge vulnerability submission by responding to the sender’s initial email address within 3-5 business days
- Augmentt shall not reward or acknowledge any vulnerabilities if:
- The vulnerability has already been publicly disclosed
- The vulnerability hunting has caused any incidents to Augmentt’s services or its infrastructure
- The vulnerability represents an informational or low impact severity for Augmentt’s business activities
1.2 Assessment Methodology
- All discovered and disclosed vulnerabilities shall be confirmed, assessed, and assigned a risk level
- Assessment methodology shall be the following:
Each finding is assigned two factors to measure its risk. Factors are measured on a scale of 1 (very low) through 5 (very high). This follows the OWASP Risk Rating Methodology.
- Indicates the finding’s effect on technical and business operations. It covers aspects such as the confidentiality, integrity, and availability of data or systems; and financial or reputational loss.
- Indicates the finding’s potential for exploitation. It considers aspects such as the skill level required of an attacker and relative ease of exploitation.
- Findings are grouped into four severity levels based on their risk as calculated by their business impact and likelihood of occurrence, risk = impact * likelihood.
||Vulnerabilities with a high or greater business impact and high or greater likelihood are considered High severity. In case of exploitation, this type of vulnerability may severely impact business activities and operations.
||The highest tier of reward.
||Vulnerabilities with a medium business impact and likelihood are considered Medium severity. This also includes vulnerabilities that have either very high business impact combined with a low likelihood or have a low business impact combined with a very high likelihood
||Regular reward rate
||Vulnerabilities that have either a very low business impact, maximum high likelihood, or very low likelihood, maximum high business impact, are considered Low severity. Also, vulnerabilities where both business impact and likelihood are low are considered Low severity.
||Discretionary reward rate
||Know vulnerabilities are acknowledged but aren’t assigned a risk level.
1.3 Excluded Submission Types
Some submission types are excluded because they are dangerous to assess, or because they haven’t met the submission criteria. These findings will be immediately marked as invalid, and are not rewardable:
- Findings from physical testing such as office access (e.g. open doors, tailgating).
- Findings derived primarily from social engineering (e.g. phishing, vishing).
- Functional, UI, and UX bugs and spelling mistakes.
- Denial of Service (DoS/DDoS) vulnerabilities.
We determine bounty eligibility at our sole discretion based on a variety of factors, including (but not limited to) impact, risk, data exposure, ease of exploitation, and quality of the report. Our bounty awards vary by the classification of the issue. While we do not disclose the payout, we do offer a $ bounty for Medium and High Risk disclosures.
In the event of duplicate reports, we award a bounty to the first person to submit an issue meeting the eligibility requirements. Note that vulnerabilities reported in 3rd party systems/services are not eligible under our bug bounty program although we encourage you to report them.
Rules For You:
- Don’t maliciously attempt to leverage the reported vulnerability
- Don’t perform any attack that could harm the reliability/integrity of our services or data
- Don’t publicly disclose a security vulnerability before it has been fixed
- You cannot be an Augmentt employee or a contractor employed by Augmentt
Rules for Us:
- We will respond as quickly as possible to your submission
- We will pay the eligible bounty upon validation of the vulnerability by our security team
- We will keep you updated as we work to mitigate the vulnerability you submitted