Coordinated disclosure policy

Last Update: Jan 28, 2020

At AEON.to we give great importance to the security and privacy of all our stakeholders, it is part of our job to do our best to ensure all our systems are well protected and the data we hold is safe.

An important component of this task is to discover any kind of mal-function or mis-configuration in our systems that may affect or compromise AEON.to and its users. On this matter we acknowledge the importance of the work being done by independent security researchers and we are willing to work with them to achieve this goal as long as everybody acts in good faith.

We try to respond, investigate and address any bug/vulnerability report in a timely fashion, in order to be responsible to our users and to respect the effort of the person making the report.

Below you can find all the details about how to correctly make a report.

Process

To initiate the reporting process you should gather all the information you collected about the vulnerability in an email message and send it to security@aeon.to.

Please make your description as detailed as possible, you should try to include:

  1. The components that are affected.
  2. Any preconditions you believe to be required.
  3. The steps you took to trigger the bug.

For high severity issues that can easily be exploited, we would appreciate if the email content is encrypted first. You can get our PGP public key here and confirm it has the following fingerprint: 2CC2 15C9 16DF 9D6E E787 25F9 210D 779C CE3C 398B

Note: You can also include information about your PGP key, to keep all further discussion private.

Our commitment

We respect your work, so you can count on us to:

  1. Respond in a timely manner, acknowledging your report as soon as we receive it and letting you know about the status of our internal investigation in the first 48h.
  2. Provide you with a real timeline for the resolution of the problem.
  3. Notify you when it is solved or when there is any delay.
  4. Acknowledge your contribution publicly.

Actions we do not allow

While we welcome most bug and vulnerability reports, we expect them to be found in a responsible way, so there are certain conducts we explicitly do not allow such as:

  1. Intentional attempts to cause denial of service to our production systems.
  2. Performing actions that negatively affect AEON.to and/or its users, including accessing, modifying or destroying information that does not belong to you.
  3. Any kind of non-technical attacks such as social engineering or phishing.
  4. Spamming in public zones within the service (chat rooms, forums, etc).

Acknowledgements and Rewards

All accepted reports will automatically be acknowledged by us on a dedicated public page for this matter . This acknowledgement will contain the author’s name (or identifier), date and the type of bug/vulnerability found.

In case you do not want to be added to the page, please mention it on the email exchanges during the reporting process.

Other kinds of prizes might be awarded, the decision will be made by a dedicated internal team and will be based on the following criteria:

  1. Severity: The possible damage to AEON.to and its users.
  2. Impact: The amount of affected users
  3. Exploitability: How easy would be to exploit such vulnerability.
  4. Report quality: Overall level of detail and clarity of the report.

We don’t expect to award this extra prizes on all cases, it is intended for exceptional reports.