Authentic8 believes effective disclosure of security vulnerabilities requires mutual trust, respect, transparency, and common good between Authentic8 and Security Researchers. This policy is meant to give security researchers clear guidelines for conducting vulnerability discovery activities and submitting discovered vulnerabilities reports to Authentic8. By conducting vulnerability research activities, you agree to and are bound to the terms and conditions detailed in this page. These terms are governed by Delaware law and constitute the entirety of the agreement between you and Authentic8. Any changes to the terms in this policy must be made in writing and agreed upon by both parties.
Authentic8 accepts vulnerability reports from independent security researchers, industry partners, vendors, customers, and consultants. Authentic8 defines a security vulnerability as an unintended weakness or exposure that could be used to compromise the integrity, availability or confidentiality of our products and services.
This policy defines “Security Research” as activity that is meant to identify and confirm a security vulnerability and which:
Upon discovery of a security vulnerability or sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must:
The following test methods are not authorized unless permitted via a specific Authentic8 engagement and an accompanying, signed agreement between Authentic8 and the Security Researcher(s):
Service-affecting testing is not authorized on any domain, service, or property of Authentic8 unless permitted via a specific engagement and an accompanying Authentic8-signed agreement.
| In-Scope Services and Domains* |
|---|
| Authentic8 Silo (SaaS) |
| authentic8.com |
| a8silo.com |
| getsilo.com |
*Includes Security Research in accordance with this Policy and expressly excludes any service-
affecting testing.
Authentic8 encourages security researchers to use this program to responsibly disclose any incidentally discovered security vulnerabilities and exposures that are applicable to the domains, sub-domains, and services listed above. Websites and services that are not listed here are considered out of scope for this policy. Vulnerabilities that are discovered in non-Authentic8 systems and/or which are specifically attributable to our sub-processors (https://www.authentic8.com/third-party-processors) are out-of-scope and should be reported directly to the vendor according to their disclosure policy.
Authentic8 accepts vulnerability reports that are submitted via the form included on this page. We do not support reports that are submitted via e-mail.
Information submitted under this policy will be used to mitigate or remediate vulnerabilities. Depending on the scope of your findings, Authentic8 may share your report with third parties at its discretion. This includes, but is not limited to, the U.S. Cybersecurity and Infrastructure Security Agency, contracted cybersecurity vendors, and Authentic8 customers.
By clicking “Report vulnerability” in the form on this page, you are indicating that you have read, understand, and agree to the guidelines described in this policy for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to Authentic8 systems, and consent to having the contents of the communication and follow-up communication stored in Authentic8 systems and any systems or services that are leveraged by Authentic8 (i.e., Bugcrowd). Because Authentic8 leverages Bugcrowd services for vulnerability report submissions, your submission must also adhere to their terms and conditions.
Authentic8 reserves the right to change, remove, or modify the terms and conditions of this policy at any time, with or without notice. Before sending each submission, please review the terms of this policy to ensure full compliance.
Authentic8 cannot guarantee any response or remuneration for reported vulnerabilities.
