responsible disclosure policy.
ALCEA believes that the responsible disclosure of vulnerabilities is essential for improving the quality of our products and services, safety of our customers that rely on them, and awareness as to their choices relative to preserving their specific interests. ALCEA values insight from the security research community and welcomes responsible disclosure and collaboration with this community.
Responsible disclosure program ensures that security access infrastructure is tested and proven reliable. Moreover, the commitment to mitigate vulnerabilities is reassuring for our customers and the security industry.
The following is ALCEA's responsible disclosure policy:
- ALCEA will disclose known vulnerabilities and their fixes to its customers in a manner that protects the end-users of ALCEA products. Disclosures made by ALCEA will include credit to the person(s) who first identified the vulnerability unless otherwise requested by the one who reported it.
- ALCEA is open to communication and working with security researchers who come to ALCEA with a shared interest to improve security and coordinate the distribution of information that includes both the vulnerability and the solution that addresses it.
- ALEA does not have a bounty program nor a monetary award for the researcher, however, ALCEA will publicly acknowledge in a written advisory the work of a security researcher(s) who brings the company valid information about a vulnerability privately and then works with ALCEA to coordinate the public announcement after a fix or patch has been developed and fully tested within a reasonable amount of time to be effective and deployed by ALCEA and its customers.
- Security researchers are allowed to post a link to the ALCEA advisory on their own websites as recognition for helping minimize risks and helping end-users protect themselves.
We ask the security researcher community to work with ALCEA to coordinate the public disclosure of a vulnerability. Prematurely revealing a vulnerability publicly without first notifying ALCEA could hurt end-users, exposing sensitive information and putting people and organizations in danger of malicious attacks.
To that end, ALCEA strongly advocates a two-step process: first, private disclosure of a potential vulnerability to Alcea. Once the vulnerability is validated, resolved and ALCEA and its customers provided a reasonable time to deploy fixes, ALCEA coordinates the public disclosure, which includes the recognition of the security researcher’s discovery, confirming that credit is given to the right person(s).
We ask that researchers recognize that our action to investigate, validate and remediate reported vulnerabilities varies based on complexity and severity. We will communicate expected timelines, changes and collaborate where possible. Additionally, we request that researchers not utilize Denial of Service tools or compromise ALCEA user infrastructure or personal information while performing testing or evaluation.
Like other leading companies, ALCEA applies industry best practices for coordinated disclosure of vulnerabilities to protect the security ecosystem, ensuring that customers get the highest quality information, drive public discourse about ways to improve products, protocols, methodologies, standards and solutions.
In case of possible vulnerability
If you believe you have discovered a vulnerability, refer to the “Reporting Guidelines” for instructions on how to contact ALCEA’s Product Security Response Team to report your finding privately.