Coordinated disclosure policy
Last Update: Jan 28, 2020
At AEON.to we give great importance to the security and privacy of all our stakeholders, it is part of our job to do our best to ensure all our systems are well protected and the data we hold is safe.
An important component of this task is to discover any kind of mal-function or mis-configuration in our systems that may affect or compromise AEON.to and its users. On this matter we acknowledge the importance of the work being done by independent security researchers and we are willing to work with them to achieve this goal as long as everybody acts in good faith.
We try to respond, investigate and address any bug/vulnerability report in a timely fashion, in order to be responsible to our users and to respect the effort of the person making the report.
Below you can find all the details about how to correctly make a report.
To initiate the reporting process you should gather all the information you collected about the vulnerability in an email message and send it to firstname.lastname@example.org.
Please make your description as detailed as possible, you should try to include:
For high severity issues that can easily be exploited, we would appreciate if the email content is encrypted first. You can get our PGP public key here and confirm it has the following fingerprint: 2CC2 15C9 16DF 9D6E E787 25F9 210D 779C CE3C 398B
Note: You can also include information about your PGP key, to keep all further discussion private.
We respect your work, so you can count on us to:
Actions we do not allow
While we welcome most bug and vulnerability reports, we expect them to be found in a responsible way, so there are certain conducts we explicitly do not allow such as:
Acknowledgements and Rewards
All accepted reports will automatically be acknowledged by us on a dedicated public page for this matter . This acknowledgement will contain the author’s name (or identifier), date and the type of bug/vulnerability found.
In case you do not want to be added to the page, please mention it on the email exchanges during the reporting process.
Other kinds of prizes might be awarded, the decision will be made by a dedicated internal team and will be based on the following criteria:
We don’t expect to award this extra prizes on all cases, it is intended for exceptional reports.