Reporting weaknesses in our IT systems

We work hard every day to maintain and improve our systems and processes so that our customers can use our products and services safely online at all times. However, should you find a weakness in one of our IT systems, we would appreciate your help.

Reporting

What you can report

You can report any number of weaknesses in our IT systems. If you spot a weakness, please contact us as soon as possible. Examples are:

  1. AS2 protocol level vulnerabilities such as forged digital signatures, or broken encryption
  2. SQL injection vulnerabilities

What you should not report

We use Amazon CloudFront as our CDN, and hence use AWS recommended settings for maximum browser compatibility. Hence please do NOT report that weak encryption algorithms are enabled when viewing our web pages over SSL.

How to report a weakness

You can report weaknesses to us by email to responsible.disclosure@adroitlogic.com. State concisely in your email what weakness(es) you have found. We will take appropriate action based on the severity. Our security experts will investigate your report and will reply back to you if we require more information.

Reporting an issue by any other means (e.g to other email addresses designated for business use such as but not limited to info@adroitlogic.com etc) will not be considered, as our administration staff who reads such email will mark them as spam and/or block your email address from reaching us again.

Please note that due to a recent increase in reports of issues of a very minor nature, we are compelled to ignore reports we do not consider to be serious. To avoid a waste of both your time and ours, we request that you first email us a profile of yours (including references to any previous issues found) and any vulnerabilities that you wish to test. Only proceed with any investigations if you receive a confirmation reply from us to proceed. To request for permission to proceed, please email your profile to vulnerability.testing.request@adroitlogic.com

Rules

Observe the rules

If you discover a weakness and investigate it, you might perform actions that are punishable by law. If you observe the rules for reporting weaknesses in our IT systems, we will not report your offence to the authorities.

It is important for you to know, however, that the public prosecutor’s office – not AdroitLogic – will decide whether or not you will be prosecuted, regardless of whether we report your offence to the authorities. We cannot promise that you will not be prosecuted if you commit a punishable offence when investigating a weakness.

Rules

Take responsibility and act with extreme care and caution. When investigating the matter, only use methods or techniques that are necessary in order to find or demonstrate the weaknesses.

  1. Do not use weaknesses you discover for purposes other than your own investigation.
  2. Do not use social engineering to gain access to a system.
  3. Do not install any back doors – not even to demonstrate the vulnerability of a system. Back doors will weaken the system’s security.
  4. Do not alter or delete any information in the system. If you need to copy information for your investigation, never copy more than you need. If one record is sufficient, do not go any further.
  5. Do not alter the system in any way.
  6. Only infiltrate a system if absolutely necessary. If you do manage to infiltrate a system, do not share access with others.
  7. Do not use brute force techniques, such as repeatedly entering passwords, to gain access to systems.

Frequently-asked questions

Will I receive a reward for my investigation?

You might receive a reward – but we are not required to give you one. You are not necessarily entitled to compensation, especially if your investigation is unable to alter our internal systems or databases. The amount of the reward, if any, is not fixed in advance. AdroitLogic determines the amount, based on the following:

  • The caution taken in your investigation
  • The quality of your report
  • The amount of potential damages prevented as a result of your report

You will NOT receive a reward or reply, if you have not followed the instructions listed above. Especially if you do not use the proper email addresses to request for permission, and to disclose any vulnerabilities.

Am I allowed to publicise the weaknesses I find and my investigation?

No. Under no circumstances should any weaknesses in our IT systems or your investigation be published without our prior written permission. Please note that as a policy we do not generally allow any such publication, even after an issue is resolved.

What shouldn’t I use this email address for?

The email address responsible.disclosure@adroitlogic.com is not intended for the following:

  • To submit complaints about AdroitLogic’s products or services
  • To submit questions or complaints about the availability of the website
  • To report viruses
Can I report a weakness anonymously?

Yes, you can. You do not have to give us your name and contact details when you report a weakness.