This policy covers all security vulnerabilities identified within domains and subdomains of attensi.com and its services. Researchers must refrain from further exploitation of discovered vulnerabilities beyond what is necessary for reporting the issue. The test scope does not cover interactions with Attensi through other means, such as social engineering or physical security testing of Attensi offices.
Vulnerabilities should be reported via email to security@attensi.com. PGP encryption is required for disclosures containing sensitive information. For all other reports, encryption is still encouraged to protect the details of your discovery. Please provide clear steps to reproduce the vulnerability, including screenshots if applicable, to ensure we can fully understand and address the issue. When reporting an issue, you must send all information directly via e-mail. Do not post information to video-sharing or pastebin sites. If your submission includes larger files, such as videos, email us and we will provide a means to upload them.
Attensi is committed to transparent and responsible disclosure of vulnerabilities. We request that researchers refrain from publicly disclosing any details of discovered vulnerabilities until we have had an opportunity to investigate and remediate them as per our Response Commitment.
Attensi will acknowledge receipt of vulnerability reports within 5 business days. Our goal is to assess and remedy verified vulnerabilities within two weeks from the acknowledgment date. In the unlikely event of a breaking change being required for an API endpoint, or a similar large scale change, remediation can take longer.
Researchers acting in good faith and avoiding disruptions to the best of their ability will not be subject to legal action from Attensi. We ask that you do not engage in any activity that would impair the usability of our services or willfully access confidential information beyond what is necessary to report the vulnerability. Any personal, customer related and/or proprietary information obtained in the process of discovering and reporting a vulnerability shall be securely erased after your assessment is complete, and shall never be disclosed to a third party. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed.
Researchers who report vulnerabilities that are confirmed by Attensi as significant will be recognized, by name or handle, on our acknowledgments page, should they choose to be. Monetary rewards may also be provided for reports of particularly critical vulnerabilities, at Attensi's discretion.
Researchers are strictly prohibited from disclosing, sharing, or publishing any customer data, personally identifiable information (PII), or any other sensitive information discovered during the course of vulnerability research. Failure to comply with this requirement will result in disqualification from the rewards program and potential legal action. When in doubt, contact us at security@attensi.com.