Vulnerability Disclosure Policy

September, 2021

Introduction

Airtame is committed to the security of both our cloud platform and devices. Therefore, we acknowledge the key role that independent security researchers play in protecting the Internet and, because of that, we welcome them to disclose any vulnerabilities found directly to our team so we can verify and address any potential issue reported.

This policy describes how Airtame engages security researchers and the different considerations that need to be made when reporting a security vulnerability in a responsible way, including what is allowed and what is not allowed. If the policy is not followed, the chance of response to a vulnerability report will be reduced, which would also influence the possibility of getting a mention in our Hall of Fame or a bounty, in case applicable although not guaranteed -it depends on several factors including then-current budget, severity of the vulnerability and previous reports and acknowledgements.

Guidelines

If you’ve discovered a security vulnerability that you’d like to report, please send an email to security@airtame.com with the following information:

Detailed description of the suspected vulnerability, including the date when it was discovered
Steps and processes required to recreate the vulnerability. If needed, you can attach screenshots or any media to help with this, including potential scripts or code used for the discovery.
If deemed necessary, add any other information that might help with assessing the vulnerability (e.g. if you have found Personal Identifiable Information).

As soon as we receive the report, Airtame will:

Reply to your email with an acknowledgement within 5 business days.
Validate and verify the vulnerability reported.
Engage with the responsible team to address the vulnerability and potentially develop a fix.
Notify you regarding the vulnerability status and how Airtame will approach the fix.

Due to business needs and engineering priorities, Airtame will need reasonable time to address any reported and verified vulnerability. Likewise, the reported vulnerabilities will be handled according to their severity and ease of exploitation. In this regard, we will be as transparent as possible and let you know about the status of the fix.

When trying to exploit a potential vulnerability, you must always take into account the following conditions:

Do not disrupt or perform actions that may negatively affect Airtame or its customers (e.g. spam, denial of service, use malware…).
Do not destroy, corrupt or modify -or attempting to do so- Airtame data, information or systems.
Do not access or attempt to access any Airtame data, information or systems.
Do not use automatic, invasive or disrupting scanning and exploitation tools.
Do not social engineer any Airtame employee or personnel related to the company in any way.
Do not violate any laws or breach any agreements in order to discover a vulnerability.
Do not test report any vulnerability within our out-of-scope vulnerabilities list.
Do not disclose the vulnerability to the public or third parties before following the process explained above.

Out-of-scope vulnerabilities

Weaknesses within TLS/SSL configuration and certificates, including weak or insecure cipher suites.
HTTP security headers that do not directly pose a vulnerability.
Redirections and DNS records configuration.
User management within the platform, including password policy for Airtame Cloud or email activation workflow.
Known-vulnerable libraries without actually showing evidence of exploitability within the platform or device.
Suggestion on configuration management based on best practices (including SPF and DMARC).
UI / UX bugs.
CSRF related to login / logout, lack of tokens in non-sensitive actions or those that require a secret to be known.
CSRF or clickjacking with no practical use to attackers.

Hall of Fame

Nikhil Rane – Clickjacking
Sanidhya Soni – Subdomain takeover
Rakesh Sharma – Parameter pollution