ACT Bug Bounty Program Policy

  • Security is a collaboration

    At Atria Convergence Technologies Limited (ACT), safeguarding our data and any other data entrusted to us is our top most priority. We encourage security researchers to work with us to identify potential security vulnerabilities in our services and responsibly disclose such vulnerabilities to us improve our services and security.
    We request you to understand that as we take security vulnerability issues very seriously, we would appreciate proper and responsible reporting of such issues to us so that we can take requisite steps to fix the potential problems as early as possible. Hence, we strongly believe in a synergistic and coordinated approach to ensure the best possible protection of our data and services.

  • Reporting under Bug Bounty Program Terms of Reporting:
Internet Security
Way Forward

If you identify a legitimate security vulnerability, we want to hear about it right away. Your submission will be reviewed and validated by a member of ACT’s Cyber Security Incident Response Team. Providing clear and concise steps to reproduce the issue will help us to expedite the response and we will try to provide our inputs within 5 working days.
You shall not disclose any vulnerability with any 3rd Party or to any public at large including through any social network, public / media without prior written consent from ACT.
This Bug Bounty Policy shall be read along with ACT’s Vulnerability Disclosure policy and only upon you complying with our Vulnerability Disclosure Policyhttps://www.actcorp.in/legal/disclaimer , you shall be eligible under this Bug Bounty Policy.

Note Before Reporting:

Please, encrypt all email messages containing information related to potential security vulnerabilities. If you are having trouble encrypting your vulnerability report or have any questions about the process send an Email to (cybersecurity@actcorp.in). We will work with you to identify a method to securely transmit your vulnerability report.

The following information is a ‘must’ to be included in the report:

  • The name(s) of the ACT product or technology and the respective version information.
  • Detailed description of the potential security vulnerability.

Proof-of-concept (POC) that details the reproduction of the potential security vulnerability. We assure you that if you provide us a detailed initial Report of your findings, we will do our best acknowledge your report and work towards fixing the identified issues at the earliest.

Security Researcher and Reporter Eligibility Criteria ACT BUG BOUNTY Eligibility Criteria

If you consider yourself to be eligible to participate in the Bug Bounty Program, you must fulfil the following criteria:

  • You are reporting under this Program in your individual capacity. If you are employed by a company or other entity and are reporting on behalf of your employer, you must furnish your employer’s written approval to submit a report to ACT’s Bug Bounty program.
  • You are at least 18 years of age.
  • You must agree to the terms and conditions of ACT’s Vulnerability Disclosure Policy.
  • You must not have any present or past record of committing any offence for violation of any Law of the land.
  • You are not currently nor have been an employee of ACT, or ACT’ subsidiary or group companies, within 6 months prior to submitting a report.
  • You are neither a family nor household member of any individual who currently or within the past 6 months meets or met the criteria listed above.
  • You agree to participate in testing mitigation effectiveness and coordinating disclosure/release/publication of your findings with ACT.
  • You did not and will not access any personal information that is not your own, including by exploiting the vulnerability.
  • You did not and shall not violate any applicable law or regulation, including Cyber security laws or such other data security and privacy laws prohibiting unauthorized access to information. It is clarified that, any vulnerability security testing done in compliance with this Policy shall be deemed to be authorised by ACT.
  • There may be additional restrictions on your eligibility to participate in the Bug Bounty Program if the same is deemed necessary by ACT’s Management. If at any point while researching a vulnerability, you are unsure whether you should continue, please send an Email to ( cybersecurity@actcorp.in ) without any delay.

Report the details of such testing to ACT immediately so that there is an internal alert created and the sanctity of the investigation conducted by ACT to address the issue is maintained . It is critical to note that failure to comply with any of the above mentioned criteria would immediately disqualify you from being eligible for an award under the Bug Bounty Program.

Sensitive and Personal Information

At ACT, maintaining the security and integrity of our customer’s, employee’s or any other service related personal data is very significant. You as a Security Researcher must ensure that you respect ACT’s privacy policy and act in good faith at all times. Please note that, you must never exploit a vulnerability by attempting to access anyone else's data or personal information. Such activity is considered unauthorized and if during the testing you interact with or obtain access to such private/confidential data or personal information of others, you must:

  • Stop your testing immediately and cease any activity that involves the data or personal information or the vulnerability.
  • Do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.

Report the details of such testing to ACT immediately so that there is an internal alert created and the sanctity of the investigation conducted by ACT to address the issue is maintained . It is critical to note that failure to comply with any of the above mentioned criteria would immediately disqualify you from being eligible for an award under the Bug Bounty Program.

Sensitive and Personal Information
Eligible Reports (in scope) To be eligible for bounty award consideration, your report must meet the following requirements:
  • The report and any accompanying material sent to ACT has been encrypted with the zip and send through Email .
  • The vulnerability identified by you must be original i.e. it should not be previously reported to ACT, and also not publicly disclosed.
  • The report must clearly evidence that the potential vulnerability has been demonstrated against the most recent publicly available version of the affected product or technology.
The report must contain clear documentation that provides the following:
  • An overview/summary of the reported vulnerability and potential impact.
  • Detailed explanation of the reported vulnerability, how it can be exploited, the impact of the vulnerability being successfully exploited and likelihood of a successful exploit.
  • The name and specific version of the ACT product(s) the potential vulnerability is reported on.
  • Proof of Concept (POC) code or instructions that clearly demonstrates an exploit of the reported vulnerability. The POC must include instructions that if followed by the ACT product engineering team would successfully demonstrate existence of and exploitability of the vulnerability.
  • Information on how any Proof of Concept (POC) code was developed and compiled. If appropriate, include the description of the development environment, including the compiler name, compiler version, options used to compile, and operating system revisions.
    We encourage a coordinated disclosure of all potential vulnerabilities with respect to ‘ACT branded’ products and technologies that are maintained and distributed by ACT.
ACT, at its sole discretion, may reject any submission that we determine does not meet these criteria above or that are deemed as ineligible as set forth below. ACT Bug Bounty Awards
Ineligible Reports (out of scope)

The following are general categories of vulnerabilities that are considered ineligible for a bounty award:

  • Vulnerabilities in pre-release product versions (e.g., Beta, Release).
  • Vulnerabilities in product versions no longer under active support.
  • Vulnerabilities already known to ACT. However, if you are the first external security researcher to identify and report a previously known vulnerability, you may still be ineligible for a bounty award.
  • Vulnerabilities present in any module of an ACT product where the root-cause vulnerability in the module has already been identified for another ACT product.
  • Vulnerabilities in products and technologies that are not listed as “Eligible ACT branded products and technologies”, including vulnerabilities considered out of scope as defined below.

NOTE:

We genuinely appreciate the efforts of Security Researchers who share the requisite information on security or vulnerability issues with us and give us the support to improve our services. However, any conduct by a Security Researcher or reporter that appears to be unlawful, malicious, or of criminal in nature including but not limited to extortion would be immediately disqualified for submission from the Program under this Policy.
Bug Bounty Awards

Eligibility for any bug bounty award and award amount determinations are made at ACT’s sole discretion. The below mentioned points are general guidelines that may vary from published documentation:

  • The Awards may be greater:
    • based on the potential impact of the security vulnerability
    • for well-written reports with complete reproduction instructions / proof-of-concept (PoC) material. See the eligible report requirements above.
    • if a functional mitigation or fix is proposed along with the reported vulnerability.
    • ACT will award a bounty award for the first eligible report of a security vulnerability.
  • Awards are limited to one (1) bounty award per eligible root-cause vulnerability.
  • ACT will award a bounty from ₹5000 to ₹50,000 Indian Rupees depending on the vulnerability type and originality, quality, and content of the report.
  • Award amounts may change with time. Past rewards do not necessarily guarantee the same reward in the future.
Bounty Award Schedule

Each bug bounty report is individually evaluated based on the technical details provided in the report. ACT generally follows the processes below to evaluate and determine the severity of a reported potential security vulnerability.

  • Vulnerability Assessment – ACT ensures that all requested information has been provided for Triage. See the Bug Bounty Reporting section above for a list of required information.
  • Triage - A team of ACT product engineers and security experts will determine if a vulnerability is valid and an eligible ACT product or technology is impacted.
  • Vulnerability severity determination – ACT works with the ACT product security engineers and ACT security experts to determine the severity and impact of a vulnerability.

    ACT’s bug bounty awards range from ₹5000 up to ₹50,000. We take into consideration a range of factors when determining the award amount for eligible reports. Those factors include, but are not limited to, the quality of the report, impact of the potential vulnerability, severity score, whether a POC was provided and the quality of the POC, type of vulnerability. The below table is reflecting to the potential award amounts.

    Vulnerability Severity Priority ( P ) ACT Web App / Mobile App
    Critical (P1) ₹25,000 to ₹50,000
    High ( P2) ₹15,000 to ₹25,000
    Medium ( P3) ₹10,000 to ₹15,000
    Low ( P4) ₹5,000 to ₹10,000
  • Bounty Award Payment

    Bounty award arrangements under this program, including but not limited to the timing, bounty amount and form of payments, are at ACT’s sole discretion and will be made on a case-by-case basis.

    ACT makes no representations regarding the tax consequences of the reward or payment that ACT makes under this program. Participants in this program are responsible for any tax liability associated with bounty award payments.

    ACT intellectual Property

    By submitting your content to ACT (your “Submission”), you agree that ACT may take all steps needed to validate, mitigate, and disclose the vulnerability, and that you grant ACT any and all rights to your Submission needed to do so.

    ACT reserves the right to alter the terms and conditions of this program at its sole discretion.

Chat