Responsible Disclosure

Guidelines for reporting a security vulnerability

If you believe you have discovered a vulnerability in an Akouto product, system or web-facing property, please submit a vulnerability report via email to info [at] akouto.com. Please note, Akouto does not operate a public bug bounty program and we make no offer of reward or compensation in exchange for submitting potential issues.

PGP Key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBF1ddsYBCADccwUlO9A+Fu7VAQENNSgKdqYYJCdOsYybdZkg4XgEwwiZPMiv
WTFNlnVK5K3/LvA96YEK/i2BpHmIzho80DYA/zUy4B4omcdE1q/DXzwJlDZfKDSs
uJQ8TW2TG0TyJg4rkr1Voqr6bkorJfS4VBYB/MBVH4Cc3TFOTlbnkrLbKhlLFQuv
FB7YY8loOjWXmnyLjau33BpZsJILxoPu6S/4qR131cVE3p99xbuxtbxkYmPzvPvS
+Mb7wszk1pAaawozWZgv4ePy22006b95dj7R2ejyG5cBn1RQs14iWnbS1L8U7U1k
JmhZKx95uMEfPWYpmZYTSKY0XlUUIPGavBc5ABEBAAG0MUFrb3V0byBDb25zdWx0
aW5nIFNlcnZpY2VzIEluYy4gPGluZm9AYWtvdXRvLmNvbT6JAU4EEwEKADgWIQT8
3epdYm3cwiCCjJSyqrIH81+CHgUCXV12xgIbAwULCQgHAgYVCgkICwIEFgIDAQIe
AQIXgAAKCRCyqrIH81+CHgPfB/9p2Hh42vg1KhnWlxmIyQxD12wLpKu9bxVa5gx+
k47xiZ0gpgbaLx9BDGKOZrJeUibr7mwsiknM9N18+TKpUZOJ9ZtYEX0d8DplbGJZ
RqZIH7B2ylMQMt5Ey3Co3bd2/1BB/S8T4SocsY10iqIRIJ2l95768UwB/mymMJny
FyonoWihALO1MA3T/8AyJOXLXW3usV+ntkTS3pzhrtL/CRskEuetX+PqGtE21Pyu
HqfAcuUnOiOuz+elB1Sx2Xe205zilTzlx8Zr6pkWjO6Lwm0IM54svSYTmdAwqW7o
HDTWJBun1NRgMbpyBNzzzx1sQ+8tWL9bpjIxCUOQunB3n5qPuQENBF1ddsYBCAC/
+H6EOKTa039F6k6yPydTalrm1h0Ct6Dj4jkXyKf5Cmvarw0g01ciX842zVNNk8Q4
9rxCo9R1ZZffiHyy4EQz8RG9bUZ9KWtSGF/p4jLP75Rf79MuRSY6q+tEJ7EBkdSg
Bl5RfiIGdi/kNaZSAqQixJqrL05JOyZwGpcO0fG2TmIPjiOqEexf5EbYuNTCQZpJ
uZQnSMzhyzW/iVrQRwkmqIhN2hNwlylN4i7mBoHAodlHatD8h7f9AzYwP8ELmCb7
qUOuDdw441AmseW6H4SmezWG+jULan2JhW1Uny4nEeS2G4jrSelrojf7wvLMWKR3
fIqsVELbrOtSAxKKF0ujABEBAAGJATYEGAEKACAWIQT83epdYm3cwiCCjJSyqrIH
81+CHgUCXV12xgIbDAAKCRCyqrIH81+CHnfuB/0aspqhCdf1WAyuhi8qv7GRkioi
KySLnDlj8OrveWzu1oboIB0sFKM/+CkZMMns0I8X0Mdzo/YwAXX440/a0EbvbImt
Q9qncpqlnEQS4+soWUEbaslXohhYeLbBf+WAtyTYrfVypHK0dqO0NvK/d9XzLs6l
fQsn6AIAuTKgf/RW50y/zVqQ5zTHcRqLfX+XIVH7aNbIfsq4wpMvXY/ehnEidVwX
o3YoVVtxjQnpKKzj8L5v2SAOf3tlK2xdemaixI62lSl4XBuM9pig/Z0erC++z44G
5MM5bRBDyOlCAyIdsYWf2xj7Omv22jnqXExye7TZEOwupHHkVOo1uoP+LxDS
=oZIU
-----END PGP PUBLIC KEY BLOCK-----

Please do not publicly disclose these details without contacting Akouto first, and without expressed prior written agreement from Akouto.

Akouto Disclosure Policy

Security is the primary goal at Akouto, and we are committed to keeping our customers safe . One of the ways we work to achieve this goal is by using a Secure Development Lifecycle process to integrate security into our products from design, through development and release.

Sometimes, even our best efforts escape detection, or new exploits are released after the product is already on the market. While we work to minimize these occurrences, we are also prepared to respond quickly to resolve them.

At Akouto we are committed to investigate all received vulnerability reports and implement the quickest and best course of action in order to protect our customers. We invite all security researchers that discover a security vulnerability in our products, to share this information with us in a responsible manner. If a verified vulnerability in compliance with Akouto’s Responsible Disclosure Policy is identified, Akouto commits to:

  • Respond promptly within 48 business hours to acknowledge receipt of any vulnerability reports, working closely with security researchers to understand the nature of the issue and work on timelines for fix/disclosure together.
  • Provide prompt notification when the vulnerability is resolved, so that it can be re-tested and confirmed as remediated.

Akouto supports responsible disclosure, and we take responsibility for disclosing product vulnerabilities to our customers. In our ongoing efforts to encourage responsible disclosure, we ask that all researchers comply with the following Responsible Disclosure Guidelines:

  • Provide Akouto with an opportunity to correct vulnerability within a reasonable time frame before publicly disclosing the identified issue, in order to ensure that Akouto has developed and thoroughly tested a patch and made it available to licensed customers at the time of disclosure.
  • Make a good faith effort to avoid privacy violations as well as destruction, interruption or segregation of our services.
  • Not modify or destroy data that does not belong to you.

Guidelines for responsible disclosure suggest that customers have an obligation to patch their systems as quickly as possible. It is routine to expect patching to be completed within 30 days after release of a security patch or update.

Akouto advises its customers that those who exploit security systems often do so by reverse engineering published security updates, and therefore encourages its customers to patch systems in a timely manner.

The responsibility for adhering to this policy and reviewing the effectiveness of actions taken to respond to concerns raised under this policy is overseen by Akouto’s senior management team. Various officers of Akouto have routine operational responsibility for this policy, and must ensure that all managers and other staff who may deal with concerns or investigations under this policy receive regular and appropriate training.

Permitted Research

Akouto is grateful for your responsible disclosure should a vulnerability be discovered, however we do not authorize any activities to scan for or exploit vulnerabilities on any production systems or applications.