ACT Bug Bounty Program Policy

  • Security is a collaboration

    At Atria Convergence Technologies Limited (ACT), safeguarding our data and any other data entrusted to us is our topmost priority. We encourage security researchers to work with us to identify potential security vulnerabilities in our services, products and network and responsibly disclose such vulnerabilities to us to improve the same..
    We request you to understand that as we take security vulnerability issues very seriously, we would appreciate proper and responsible reporting of such issues to us so that we can take requisite steps to fix the potential problems as early as possible. Hence, we strongly believe in a synergistic and coordinated approach to ensure the best possible protection of our data, products, network and services.

  • Reporting under Bug Bounty Program Terms of Reporting:
Internet Security
Way Forward

If you identify a legitimate security vulnerability, we want to hear about it right away. Your submission will be reviewed and validated by a member of ACT’s Cyber Security Incident Response Team. Providing clear and concise steps to reproduce the issue will help us to expedite the response and we will try to provide our inputs within 5 working days.
You shall not disclose any vulnerability with any 3rd Party or to any public at large including through any social network, public / media without prior written consent from ACT.
This Bug Bounty Policy shall be read along with ACT’s Vulnerability Disclosure policy and only upon you complying with our Vulnerability Disclosure Policyhttps://www.actcorp.in/legal/disclaimer , you shall be eligible under this Bug Bounty Policy.

Note Before Reporting:

Please, encrypt all email messages containing information related to potential security vulnerabilities. If you are having trouble encrypting your vulnerability report or have any questions about the process send an Email to (cybersecurity@actcorp.in). We will work with you to identify a method to securely transmit your vulnerability report.

The following information is a ‘must’ to be included in the report:

  • The name(s) of the ACT product or technology and the respective version information.
  • Detailed description of the potential security vulnerability.

Proof-of-concept (POC) that details the reproduction of the potential security vulnerability. We assure you that if you provide us a detailed initial Report of your findings, we will do our best acknowledge your report and work towards fixing the identified issues at the earliest.

Security Researcher and Reporter Eligibility Criteria ACT BUG BOUNTY Eligibility Criteria

If you consider yourself to be eligible to participate in the Bug Bounty Program, you must fulfil the following criteria:

  • You are reporting under this Program in your individual capacity. If you are employed by a company or other entity and are reporting on behalf of your employer, you must furnish your employer’s written approval to submit a report to ACT’s Bug Bounty program.
  • You are at least 18 years of age.
  • You must agree to the terms and conditions of ACT’s Vulnerability Disclosure Policy.
  • You must not have any present or past record of committing any offence for violation of any Law of the land.
  • You are not currently nor have been an employee of ACT, or ACT’ subsidiary or group companies, within 6 months prior to submitting a report.
  • You are neither a family nor household member of any individual who currently or within the past 6 months meets or met the criteria listed above.
  • You agree to participate in testing mitigation effectiveness and coordinating disclosure/release/publication of your findings with ACT.
  • You did not and will not access any personal information that is not your own, including by exploiting the vulnerability.
  • You did not and shall not violate any applicable law or regulation, including Cyber security laws or such other data security and privacy laws prohibiting unauthorized access to information. It is clarified that, any vulnerability security testing done in compliance with this Policy shall be deemed to be authorised by ACT.
  • There may be additional restrictions on your eligibility to participate in the Bug Bounty Program if the same is deemed necessary by ACT’s Management. If at any point while researching a vulnerability, you are unsure whether you should continue, please send an Email to ( cybersecurity@actcorp.in ) without any delay.

Report the details of such testing to ACT immediately so that there is an internal alert created and the sanctity of the investigation conducted by ACT to address the issue is maintained . It is critical to note that failure to comply with any of the above mentioned criteria would immediately disqualify you from being eligible for an award under the Bug Bounty Program.

Sensitive and Personal Information

At ACT, maintaining the security and integrity of our customer’s, employee’s or any other service related personal data is very significant. You as a Security Researcher must ensure that you respect ACT’s privacy policy and act in good faith at all times. Please note that, you must never exploit a vulnerability by attempting to access anyone else's data or personal information. Such activity is considered unauthorized and if during the testing you interact with or obtain access to such private/confidential data or personal information of others, you must:

  • Stop your testing immediately and cease any activity that involves the data or personal information or the vulnerability.
  • Do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.

Report the details of such testing to ACT immediately so that there is an internal alert created and the sanctity of the investigation conducted by ACT to address the issue is maintained . It is critical to note that failure to comply with any of the above mentioned criteria would immediately disqualify you from being eligible for an award under the Bug Bounty Program.

Sensitive and Personal Information
Eligible Reports (in scope) To be eligible for bounty award consideration, your report must meet the following requirements:
  • The report and any accompanying material sent to ACT has been encrypted with the zip and send through Email .
  • The vulnerability identified by you must be original i.e. it should not be previously reported to ACT, and also not publicly disclosed.
  • The report must clearly evidence that the potential vulnerability has been demonstrated against the most recent publicly available version of the affected product or technology.
The report must contain clear documentation that provides the following:
  • An overview/summary of the reported vulnerability and potential impact.
  • Detailed explanation of the reported vulnerability, how it can be exploited, the impact of the vulnerability being successfully exploited and likelihood of a successful exploit.
  • The name and specific version of the ACT product(s) the potential vulnerability is reported on.
  • Proof of Concept (POC) code or instructions that clearly demonstrates an exploit of the reported vulnerability. The POC must include instructions that if followed by the ACT product engineering team would successfully demonstrate existence of and exploitability of the vulnerability.
  • Information on how any Proof of Concept (POC) code was developed and compiled. If appropriate, include the description of the development environment, including the compiler name, compiler version, options used to compile, and operating system revisions.
    We encourage a coordinated disclosure of all potential vulnerabilities with respect to ‘ACT branded’ products and technologies that are maintained and distributed by ACT.
ACT, at its sole discretion, may reject any submission that we determine does not meet these criteria above or that are deemed as ineligible as set forth below. ACT Bug Bounty Awards
Ineligible Reports (out of scope)

The following are general categories of vulnerabilities that are considered ineligible for a bounty award:

  • Vulnerabilities in pre-release product versions (e.g., Beta, Release).
  • Vulnerabilities in product versions no longer under active support.
  • Vulnerabilities already known to ACT. However, if you are the first external security researcher to identify and report a previously known vulnerability, you may still be ineligible for a bounty award.
  • Vulnerabilities present in any module of an ACT product where the root-cause vulnerability in the module has already been identified for another ACT product.
  • Vulnerabilities in products and technologies that are not listed as “Eligible ACT branded products and technologies”, including vulnerabilities considered out of scope as defined below.

NOTE:

We genuinely appreciate the efforts of Security Researchers who share the requisite information on security or vulnerability issues with us and give us the support to improve our services. However, any conduct by a Security Researcher or reporter that appears to be unlawful, malicious, or of criminal in nature including but not limited to extortion would be immediately disqualified for submission from the Program under this Policy.
Bug Bounty Awards

Eligibility for any bug bounty award and award amount determinations are made at ACT’s sole discretion. The below mentioned points are general guidelines that may vary from published documentation:

  • The Awards may be greater:
    • based on the potential impact of the security vulnerability
    • for well-written reports with complete reproduction instructions / proof-of-concept (PoC) material. See the eligible report requirements above.
    • if a functional mitigation or fix is proposed along with the reported vulnerability.
    • ACT will award a bounty award for the first eligible report of a security vulnerability.
  • Awards are limited to one (1) bounty award per eligible root-cause vulnerability.
  • ACT will award a bounty from ₹5000 to ₹25,000 Indian Rupees depending on the vulnerability type and originality, quality, and content of the report.
  • Award amounts may change with time. Past rewards do not necessarily guarantee the same reward in the future.
Bounty Award Schedule

Each bug bounty report is individually evaluated based on the technical details provided in the report. ACT generally follows the processes below to evaluate and determine the severity of a reported potential security vulnerability.

  • Vulnerability Assessment – ACT ensures that all requested information has been provided for Triage. See the Bug Bounty Reporting section above for a list of required information.
  • Triage - A team of ACT product engineers and security experts will determine if a vulnerability is valid and an eligible ACT product or technology is impacted.
  • Vulnerability severity determination – ACT works with the ACT product security engineers and ACT security experts to determine the severity and impact of a vulnerability.

    ACT’s bug bounty awards range from ₹5000 up to ₹25,000. We take into consideration a range of factors when determining the award amount for eligible reports. Those factors include, but are not limited to, the quality of the report, impact of the potential vulnerability, severity score, whether a POC was provided and the quality of the POC, type of vulnerability. The below table is reflecting to the potential award amounts.

    Vulnerability Severity Priority ( P ) Bounty
    Critical (P1) ₹25,000
    High ( P2) ₹15,000
    Medium ( P3) ₹10,000
    Low ( P4) ₹5,000
  • Bounty Award Payment

    Bounty award arrangements under this program, including but not limited to the timing, bounty amount and form of payments, are at ACT’s sole discretion and will be made on a case-by-case basis.

    ACT makes no representations regarding the tax consequences of the reward or payment that ACT makes under this program. Participants in this program are responsible for any tax liability associated with bounty award payments.

    ACT intellectual Property

    By submitting your content to ACT (your “Submission”), you agree that ACT may take all steps needed to validate, mitigate, and disclose the vulnerability, and that you grant ACT any and all rights to your Submission needed to do so.

    ACT reserves the right to alter the terms and conditions of this program at its sole discretion.

Vulnerability Disclosure Policy

At ACT maintaining the security and integrity of our network, Services and Products is a priority. We are committed to creating a safe, transparent environment to report vulnerabilities; Hence, ACT appreciates the work of security researchers in order to improve our network, Services, Products and its security.

Any security vulnerability found by you that could impact ACT or our customers, we encourage you to report this right away. Any legitimate incident reported by you shall be investigated internally and we shall fix the problem as soon as we can. In this regard, we request you to follow ACT's Vulnerability Disclosure Policy and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research.

  • Scope
    • This Disclosure program includes every applications and services that ACT provides including any product that ACT may provide as part of its Services.
    • All vulnerabilities affecting ACT should be reported via email to the Cyber Security Incident Response Team via Cybersecurity@actcorp.in
  • Eligible Vulnerabilities
    • In order to be eligible under our Vulnerability Disclosure Policy, the following conditions needs to be met:
      • You must agree to our Vulnerability Disclosure Policy.
      • You must be the first person to responsibly disclose an unknown issue
      • You must submit a proper summary of the vulnerability and reproduce all the steps as may be required by ACT’s security team.
      • All legitimate reports will be reviewed and assessed by ACT’s security team to determine if it is eligible.
    • We encourage the coordinated disclosure of vulnerabilities of the following application:
      • Cross-site scripting
      • Sensitive Data Exposure – Cross Site Scripting (XSS) Stored, SQL Injection (SQLi), etc.
      • Authentication or Session Management related issues
      • Remote Code Execution
      • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories
      • Cross-site request forgery in a privileged context
      • Server-side code execution
      • Authentication or authorization flaws
      • Injection Vulnerabilities
      • Directory Traversal
      • Information Disclosure
      • Significant Security Misconfiguration
  • Program Exclusions

    While we encourage any submission affecting every applications, network, product and services that ACT provides including any product that ACT may provide as part of its Services, the following examples are excluded from this program:

    • All issues without clearly identified security impact, missing security headers, or descriptive error messages will be considered out of scope.
    • Your findings should be supported by clear and precise documentation with no speculative information.
    • All findings should have an indication of relevance and impact. We reserve our right not to act in case of findings with no real risk impact on our data integrity and security.
    • All researches violating this Policy terms, Terms of Service, Safety and Security and data-related documentation as well as governing law shall be treated as acting in bad faith and in an illegal manner.
    • We are not obliged to provide remuneration, fee or rewards for any vulnerability disclosure – such action remains in our full discretion.
      • Denial of Service (DoS) – Either through network traffic, resources exhaustion or others
      • User enumeration
      • Issues only present in old browsers/old plugins/end-of-life software browsers
      • Phishing or social engineering of ACT employees, users or clients
      • Systems or issues that relate to Third-Party technology used by ACT
      • Disclosure of known public files and other information disclosures that are not a material risk (e.g.: robots.txt)
      • Any attack or vulnerability that hinges on a user’s computer first being compromised
      • Any vulnerability obtained through the compromise of ACT customer or employee accounts.
      • Missing Best Practice, Configuration or Policy Suggestions.
      • Knowingly posting, transmitting, uploading, linking to, or sending any malware.
      • Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages.
      • Testing must not violate any law, or disrupt or compromise any data that is not your own.
  • Process
    • Your submission will be reviewed and validated by a member of ACT’s Cyber Security Incident Response Team. Providing clear and concise steps to reproduce the issue will help us to expedite the response.
    • You shall not disclose any vulnerability with any 3rd Party or to any public at large including through any social network, public / media without prior written consent from ACT.
Chat