Responsible Disclosure Program
Responsible Disclosure Program
If you are a security researcher and have found a vulnerability, an abuse risk, or a security-related bug in an Amagi product, domain, or website, you can report it to us under Amagi's Responsible Disclosure Program.
To report a potential security vulnerability/risk/bug send an email to infosec.team@amagi.com with details in the below format, and we'll get in touch. The more elaborate the initial details, the easier it will be for Amagi to evaluate the relevance and validity of the report.
Reporting Format
Email Subject: External Bug Report <single line bug summary>
Email Body:
- Description of the bug
- Description of the attack scenario
- The impact of this scenario
- Steps to reproduce the reported vulnerability
- Proof of exploitability (e.g. screenshot, video) : (file upload button)
- Perceived impact to another user or the organization
- List of URLs and affected parameters
- Other vulnerable URLs, additional payloads, Proof-of-Concept code
- Browser, OS, and/or app version used during testing
- Bug resolution and fix.
Disclaimer:
- Eligibility for any reward arrangements under this program, including but not limited to the timing, reward amount, and form of payments, are at Amagi's sole discretion and will be made on a case-by-case basis.
- Amagi makes no representations regarding the tax consequences of the payments under this program. Participants in this program are responsible for any tax liability associated with reward payments.
Eligibility Criteria:
All criteria must be met in order to participate in the Responsible Disclosure Program.
The researcher:
- Is not currently nor have been an employee (contract or FTE) of Amagi, within 6 months prior to submitting a report.
- Is neither a family nor household member of any individual who currently or within the past 6 months has been an employee (contract or FTE)
- Will not use a finding to compromise/exfiltrate data or pivot to other systems. Use a proof of concept only to demonstrate an issue.
- If sensitive information- such as personal information, credentials, etc., is accessed as part of a vulnerability, it must not be saved, stored, transferred, accessed, or otherwise processed after the initial discovery. All copies of sensitive information must be returned to Amagi and may not be retained.
- May not, and is not authorized to, engage in any activity that would be disruptive, damaging, or harmful to Amagi brands or its customers. This includes social engineering, phishing, and denial of service attacks against users, employees.
- May not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized employees), or otherwise share vulnerabilities with a third party, without Amagi's express written permission.
- Agrees to participate in testing mitigation effectiveness and coordinating disclosure/release/publication of your finding
- Did not and will not violate any applicable law or regulation, including laws prohibiting unauthorized access to information.
- If at any point while researching a vulnerability, you are unsure whether you should continue, immediately send a message to infosec.team@amagi.com