General

This policy applies to security researchers interested in reporting security vulnerabilities. If you have reported an issue determined to be within program scope, is determined to be a valid security issue, and you have followed program guidelines, Allied Solutions, LLC will recognize your finding and you will be allowed to disclose the vulnerability after a fix has been issued.

In Scope

Vulnerabilities in hardware and software owned and operated by Allied Solutions, LLC with demonstrated impact to include:

  • OWASP Top 10 vulnerabilities in web applications
  • Infrastructure vulnerabilities
  • Other vulnerabilities with demonstrated impact

Out of Scope

Vulnerabilities in hardware and software either not owned and operated by Allied Solutions, LLC or without demonstrated impact to include:

  • Theoretical vulnerabilities
  • Vulnerabilities which provide informational disclosure of non-sensitive information
  • Vulnerabilities without demonstrable impact
  • Vulnerabilities in third party systems

The following types of tests are considered out of scope:

  • Denial of Service (DoS) tests
  • Defacement
  • Physical security testing, e.g., office access, tailgating
  • Social engineering
  • Intentionally and/or potentially disruptive tests, e.g., DNS spoofing
  • Functionality bugs, clickjacking, and spoofing email

Handling Consumer Information

If you uncover any of the following types of information during testing, stop testing and notify us immediately:

  • Personally identifiable information, e.g., Social Security Numbers, driver’s license numbers
  • Financial information, e.g., bank account numbers

Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, will work with you to understand and resolve the issue quickly, and Allied Solutions, LLC will not initiate or recommend legal action related to your research.

When conducting vulnerability research according to the guidelines and scope of this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls; and
  • Exempt from restrictions in any software Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us through one of the channels in the "Reporting a vulnerability" section before going any further.

Reporting a Vulnerability

Submit a vulnerability report to securitybugs@alliedsolutions.net. This report should contain the following:

  • A description of the vulnerability and affected assets
  • A detailed description of the steps to exploit the vulnerability or otherwise reproduce the issue including proof-of-concept code and screenshots
  • Any other technical information germane to the vulnerability

We encourage the use of encryption during the disclosure process. Use the following PGP key to protect the submitted information.

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBF9jfHQBDAC22lJtEMKTwV5TA5H3QuHJ3R3DLS2EWBe6IIqyl3WCsKWQd6SJ
a81XwZVg0pAyj+1655ZVfDY+Z33FR2BiKREQpD4uhpOAhc2EjME/2Ah1NQ9e8o8a
PqeF3WWk3pxx66w+ilgXmMaeIjlyV3hYcuwigyo2qxWm2uQ+OCy0Bp9CZ2mTTKYi
9eU6GGpgsQ2g4JWuP8aBFsKuZXENR+N5+ugBkX6nqMoUI3h213M3kn6HlHEsW2+G
V3/HLwqbAHmHKug8SebjDdtdIWIhxnvUmZyLlef5Ch7Awd7C9MPMROayPneMpNKk
I6rmZzEJi+k5rHK4jV547NL+EE1QN0swS8J59PHJktY422RYOj7ZNuSI+Zpo+KvH
XOOJCMtNYFRiFObBIadLqtTEUgVVTQA3jkTrNDjpF/i2nxummVVJvE4QvNydZ9cP
0qe/iDUwwyUauDhwlGCrJNQV5lC8c5ABHaapwtDDOdg29s+JFUHveoVZIsOnSxj1
bd41WBofDLLpzm0AEQEAAbRRUmVzcG9uc2libGUgRGlzY2xvc3VyZSAtIEFsbGll
ZCBTb2x1dGlvbnMsIExMQyA8c2VjdXJpdHlidWdzQGFsbGllZHNvbHV0aW9ucy5u
ZXQ+iQHOBBMBCAA4FiEEXT0wfgbhgiJap8iuHpyCfkCPPgUFAl9jfHQCGwMFCwkI
BwIGFQoJCAsCBBYCAwECHgECF4AACgkQHpyCfkCPPgWooAwArzvYKwW3OyUuvQVq
H/o/tvQkY7FUEO11nmnv4t7jrudoFu5WS7vQCAwi3UvIlsohEjG55LHKFJqJP+lE
tq+OGFhrSTAvygVQGKzBdR3sRAruFPd9fUWQjJn5CBqTGGxbQhcVdNGOcjdNm5jg
THd8ffp5IPQmKRkyGopdPbwJ0Bbg0ccRoSBFAI3J0Qmc9rj3BHoc5u6WuXBVwPbV
/b+0a/uI5DIuU52F/tGd9k8GyfUpkbSvYvzv/gN4s5qJZn3rM3/XCyGM83/0NeUA
ZsFhRnjRiJTdcg2NPujQ//0/yNL08m7dle4LqnNdojtG16wjmnt3OVkvfD+hHC78
V/2ggxEjX5mG1umkhe9XM8eQiExOTC1UdY5zKNzwnuEdZY+rmasXvxIeZMwPNEm3
hCUkgiYpXT+UVxuAIpCG0FELlI5h2H2jLcOaWNI1ZxgE4VBR7+GOI9e/9lsn6C+R
yWnyURLQEZVETet6twNl9Ue4tjvKcS5rBPW6cjVaPbIIeNhcuQGNBF9jfHQBDACx
5ksCS/ISTaQqXdNE79O5oC58uI1bzJA2Lq+ot2f+2V4mQuILO8pAHEJYX3MAiO9Q
c2Ywli6kW996wMvZ7r8kcXDR+wMI2CduhyV+TLtq9RxkrBu2qwSA5DULQjS1Lyif
dU+2mbpfajtSmsFWvh+YOKqkmSFL+JrPWL466od4qg6I77IToOaJ2xcA+n2uKUR/
LZJSGtdaDsfsc4cZHocg6JhfeUEvrn40L0m+z0pkPGIuOevdPCpQ+E5YEJtmSud3
2RoFLzmkXBKK+FGHT04Kel1civsQo6CRLEI28Znrbit91NiovDNQSC/ml1hC+xG6
Q0vty/ZaT1e8guC/nMAf/+ZvwFzknrd6FZmpwQe687BrT/Da0UtT2zKl2I5t3tAl
9LjwehOFUuEUyfBc9AoyDd3mjXekrHRFkmsOo7rmURGL2zNUuwXEIyDFCHZYei2t
vxJC9dfwHekLdrr/MmK8y6DeVaqJ8ImxDTfE9GNE4ZWwtllXv7gfmrotvER4P5kA
EQEAAYkBtgQYAQgAIBYhBF09MH4G4YIiWqfIrh6cgn5Ajz4FBQJfY3x0AhsMAAoJ
EB6cgn5Ajz4FAMkL/2h0gH/5O11q3LfgIK75f4EWfkdkgpoxIgYLM+kP0idy/01L
a/VHl3K9f1Z/bkOnfm2/RwRAtzlshYVA3kfkZTQTDBPgLhrzqeC/2c2X/5tZu8Xl
1yl1ZrvJpgHfqpHaD86uljndoioebglzkWIVI8iLYgvFjtTAZdrEHK1TqVMg0HD6
bu91UeBvnO3vO1C4F0jomHzVgOoJ6DTJq+i3SkHqYa6xSga/D1VsZ8TVoVFsty8m
IuvQHo5VfjOFzHJwGeSwJQNgnjn6uyLwTRAZBnmE0zABsLiun3z+2zYxzCX7ERgd
VuKNEOltAt8SG4/m0PWDK7ZOtUsWrKnNu7dLwekx3uY2QURbGWdlAeWOMHitb62t
3OfBhDsntKWjCe5smUUplpI0pggVDA8xf9FltQqRuVr5dputnGYuamJBbvzP96B5
osDTIc1mMiFnFF9pW+GJkzNfXTXzoUgWh1ybyxh9nV7uWY/FwKicqJP0c+9+L6gC
LZLcfh0GmWNJDjln1Q==
=qa36
-----END PGP PUBLIC KEY BLOCK-----

Coordinated Disclosure

Allied Solutions, LLC believes that the information disclosed is valuable to the public and expect that a security researcher would desire to disclose their work publicly. Doing so in a coordinated manner is crucial to the overall security posture of the Internet.

You can expect that our team will adhere to the following:

  • We will acknowledge receipt of disclosure within seven (7) business days
  • We will work with you to understand the vulnerability, its impact, and potential resolutions.
  • We will provide you with periodic updates on our progress.

As a security professional working within a responsible disclosure policy, we expect you to adhere to the following:

  • Do not disclose information relating to the vulnerability to any third party until either
    • The vulnerability is remediated; or
    • 90 days have elapsed from the date of disclosure.
  • Coordinate your public disclosure with our team to ensure you are not releasing sensitive information.

 

Click here to return to Trust Center