Responsible Disclosure Policy
In this policy, references to “Accurics”, “us”, “we” and “our” mean Accurics, Inc., a privately held company
Accurics was founded on the idea that companies should be able to innovate in the cloud with confidence by enabling cyber resilience through technology that allows them to scan their cloud native technologies for misconfigurations so that they can identify them, fix them, and improve their security. We have created technologies that enable our customers to do just that, without slowing down development velocity while ensuring that their software is developed secure from the start.
With this in mind, transparency and openness with sharing information that could improve the security of every organization is one of our core values. Accurics is committed to working with the research community to protect our company and our customers. We encourage and welcome anyone who believes he, she, or they has identified a vulnerability to contact us with security concerns or pertinent information to the integrity, functionality, or confidentiality of our enterprise or open source software.
The terms below apply to any website, application, or service distributed by or hosted by Accurics, Inc.
Please use the email address [email protected] to alert us to:
- Vulnerabilities or breaches in our software or environments which threaten the confidentiality, integrity or availability of our data, software, or services, or our customers’ data
- Applications that mimic, mislabel, misdirect, or “copycat” Accurics, or phishing attacks even if they do not originate from Accurics sources
- Written or verbal discussion, activities, or data in any public forum which you believe constitutes a threat to Accurics, our employees or our customers
How to disclose a vulnerability or security issue to Accurics, Inc.
If you are uncomfortable sending any of the following content by email, you may mask or redact sensitive content or encrypt data using a GPG key.
Your submission should contain:
- Clear description and evidence of the vulnerability (logs, screenshots, responses or other evidence)
- The tool(s) you used in discovering the vulnerability
- Date of discovery
- Detailed steps to reproduce the issue, if possible
- Any platforms, operating systems, versions that are relevant
- Any relevant IP addresses or URLs
- Your assessment of the exploitability or impact of the issue
- Your name and contact details
- Provide a detailed and complete submission
- Be sure to include your contact information so that Accurics can communicate as necessary
- Be specific and detailed
- Treat the vulnerability report and any vulnerability as confidential information and not divulge to any third person (except disclosure to Accurics) any such information until public disclosure is mutually agreed upon with Accurics
- Report vulnerabilities in a vendor we integrate with or leaks of Accurics customer data
- Do not break international, federal, state or local laws
- Put Accurics data, employees or customers at risk
- Do any unsolicited testing that would result in a denial of service (DoS), attempt at physical access, or anything that could be considered social engineering against Accurics employees
Accurics has taken measures to ensure that reports of this nature are treated with high value and can be responded to quickly and effectively. Accurics commits to responding to credible vulnerability disclosures that provide the required information to confirm receipt within 48 business hours.
We will not respond to:
- Hoaxes or anonymous reports
- Reports that are generic or lack evidence to be verified
- Reports that bear no relevance to Accurics as a company, its technologies or its employees or customers
- Reports that are non-actionable
Accurics believes in coordinated disclosure with regard to vulnerabilities that have been reported to us and fixed. We expect professional conduct and will seek to agree on reasonable timelines for updates and coordination with security researchers and others who may report vulnerabilities.
While we will work diligently to address vulnerabilities, we will work with you to set expectations on timeline for fixing a vulnerability and do not adhere to specific windows of time for either fixes or updates to the person who filed the report. We will disclose publicly alongside anyone who makes a report that helps us ensure our technologies, data and employees are secure. At this time, we are not offering financial compensation for vulnerability reports, however, we would be happy to offer company swag as a token of our appreciation.
Please click here to report a vulnerability or other information security issues.
For customers, please login to the Accurics Platform and click “Contact Us” to report a vulnerability or other information security issues.
Thank you for helping keep Accurics secure!