If you believe you have discovered a potential security vulnerability or bug within any of Aqua Security’s publicly available resources, sites, or one of our services or products, we would like you to let us know as quickly as possible by emailing our Security Team at [email protected].
Our team will review the disclosed information, evaluate, and if possible, remediate or mitigate the findings.
Report a Vulnerability
Please let us know about the vulnerabilities you identify as quickly as possible. The report sent to [email protected] should include sufficient information for us to validate and reproduce the issue, including:
- The service, resource, site or product affected. Please include URL, IP address, resource or product name.
- Detailed description of the vulnerability.
- Description, steps were taken and tools that were used to discover the vulnerability.
- Projected impact of the vulnerability and likely attack scenario.
- Proof of Concept (PoC) – please supply instructions demonstrating how the vulnerability might be exploited.
- Remediation, mitigation or corrective actions of how to fix the vulnerability.
Important to mention
- Please do not publicly disclose the details of any potential security vulnerabilities without written consent from Aqua Security authoritative department.
- Aqua Security does not condone any malicious or illegal behavior in the identification and reporting of security vulnerabilities and you should not engage in any activity that violates applicable laws.
- If you discover personally identifiable information (PII) while exploring a suspected security vulnerability, please cease your investigation and report the vulnerability that led to such discovery immediately.
Things to Avoid
If you are considering submitting a vulnerability report, your values clearly align with ours. You know how critical security is and you want to protect the information. Understanding this shared perspective, we do not want you to take on or create unnecessary risk in order to discover a vulnerability.
Accordingly, we ask that you kindly avoid performing actions that may:
- Negatively affect availability or integrity of any of Aqua Security or its customers services, infrastructure or data.
- Retain or disclose any Personally Identifiable Information (PII) discovered.
- Violate any other applicable laws or regulations.
Aqua recognizes and rewards security researchers who help us keep people safe by reporting vulnerabilities in our services.
- Monetary bounties for such reports are entirely and solely at Aqua’s discretion, based on risk, impact, and other factors.
- To potentially qualify a bounty, you first need to follow the requirements and adhere to Responsible Disclosure Program.
- We investigate all valid reports. In case found qualified, we award a bounty to the first person to submit an issue.
- Bounty amounts determined based on a variety of factors, including but not limited to impact, ease of exploitation, and quality of the report.
- If we pay a bounty, the minimum reward is $20 USD. Note that extremely low-risk issues may not qualify for a bounty at all.