Responsible Disclosure Policy

In this policy, references to “Accurics”, “us”, “we” and “our” mean Accurics, Inc., a privately held company

Accurics was founded on the idea that companies should be able to innovate in the cloud with confidence by enabling cyber resilience through technology that allows them to scan their cloud native technologies for misconfigurations so that they can identify them, fix them, and improve their security. We have created technologies that enable our customers to do just that, without slowing down development velocity while ensuring that their software is developed secure from the start.

With this in mind, transparency and openness with sharing information that could improve the security of every organization is one of our core values. Accurics is committed to working with the research community to protect our company and our customers. We encourage and welcome anyone who believes he, she, or they has identified a vulnerability to contact us with security concerns or pertinent information to the integrity, functionality, or confidentiality of our enterprise or open source software. 

The terms below apply to any website, application, or service distributed by or hosted by Accurics, Inc.

Please use the email address [email protected] to alert us to:

  • Vulnerabilities or breaches in our software or environments which threaten the confidentiality, integrity or availability of our data, software, or services, or our customers’ data
  • Applications that mimic, mislabel, misdirect, or “copycat” Accurics, or phishing attacks even if they do not originate from Accurics sources
  • Written or verbal discussion, activities, or data in any public forum which you believe constitutes a threat to Accurics, our employees or our customers

How to disclose a vulnerability or security issue to Accurics, Inc.

When contacting us to provide a disclosure, you agree to the terms of our Privacy Policy and that we can use the information you provide to ensure the integrity, security and reliable functionality of our technology and business.

If you are uncomfortable sending any of the following content by email, you may mask or redact sensitive content or encrypt data using a GPG key.

Your submission should contain:

  • Clear description and evidence of the vulnerability (logs, screenshots, responses or other evidence)
  • The tool(s) you used in discovering the vulnerability
  • Date of discovery
  • Detailed steps to reproduce the issue, if possible
  • Any platforms, operating systems, versions that are relevant
  • Any relevant IP addresses or URLs
  • Your assessment of the exploitability or impact of the issue
  • Your name and contact details

Responsibilities

DO:

  • Provide a detailed and complete submission
  • Be sure to include your contact information so that Accurics can communicate as necessary
  • Be specific and detailed
  • Treat the vulnerability report and any vulnerability as confidential information and not divulge to any third person (except disclosure to Accurics) any such information until public disclosure is mutually agreed upon with Accurics
  • Report vulnerabilities in a vendor we integrate with or leaks of Accurics customer data

DO NOT:

  • Do not break international, federal, state or local laws
  • Put Accurics data, employees or customers at risk
  • Do any unsolicited testing that would result in a denial of service (DoS), attempt at physical access, or anything that could be considered social engineering against Accurics employees

Accuric’s response

Accurics has taken measures to ensure that reports of this nature are treated with high value and can be responded to quickly and effectively. Accurics commits to responding to credible vulnerability disclosures that provide the required information to confirm receipt within 48 business hours.

We will not respond to:

  • Hoaxes or anonymous reports
  • Reports that are generic or lack evidence to be verified
  • Reports that bear no relevance to Accurics as a company, its technologies or its employees or customers
  • Reports that are non-actionable

Recognition

Accurics believes in coordinated disclosure with regard to vulnerabilities that have been reported to us and fixed. We expect professional conduct and will seek to agree on reasonable timelines for updates and coordination with security researchers and others who may report vulnerabilities.

While we will work diligently to address vulnerabilities, we will work with you to set expectations on timeline for fixing a vulnerability and do not adhere to specific windows of time for either fixes or updates to the person who filed the report. We will disclose publicly alongside anyone who makes a report that helps us ensure our technologies, data and employees are secure. At this time, we are not offering financial compensation for vulnerability reports, however, we would be happy to offer company swag as a token of our appreciation.

Please click here to report a vulnerability or other information security issues. 

For customers, please login to the Accurics Platform and click “Contact Us” to report a vulnerability or other information security issues.

Thank you for helping keep Accurics secure!

 

We use cookies to ensure you get the best experience on our website. By continuing to browse this site, you acknowledge the use of cookies.