Vulnerability Disclosure Policy
Alex Tech has developed this policy to both reflect our corporate values and to uphold our
legal responsibility to good-faith security researchers that are providing us with their expertise.
Alex Tech agrees not to pursue legal action against individuals who:
- Engage in testing of systems/research without harming Alex Tech or its customers
- Engage in vulnerability testing of products without affecting customers (i.e., do not engage in vulnerability testing against their devices/software, etc.)
- Adhere to the laws of their location and the location of Alex Tech
- Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires
Reporting security issues
If you believe you have discovered a vulnerability in a Alex Tech product or have a security incident to report, please email us at email@example.com or submit via CVD-report form.
What we would like from you
- Reports should be written in English whenever possible
- Reports should provide a detailed technical description of the steps required to reproduce the vulnerability, including a description of any tools needed to identify or exploit the vulnerability. Images, e.g., screen captures, and other documents may be attached to reports. It is helpful to give attachments illustrative names.
- Reports may include proof-of-concept code that demonstrates exploitation of the vulnerability.
- We request that any scripts or exploit code be embedded into non-executable file types.
What you can expect from us
- If you choose to share your contact information with us, we will timely acknowledge that your report has been received (generally within 3 business days).
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
- We will maintain an open dialogue to discuss issues.
- We will give you credit for discovering the vulnerability in public communications after the vulnerability has been validated and fixed, unless you specify in writing that you would prefer to stay anonymous
- We will handle your report confidentially and will not share personal details with third parties without your consent, unless obliged to do so pursuant to a statutory provision or a legal ruling.
Questions regarding this policy may be sent to firstname.lastname@example.org. We also invite you to contact us with suggestions for improving this policy.
With this form you can submit a CVD-report to the ALOVA. Complete the CVD-form with your findings. This form will be sent automatically to email@example.com. To prevent the information from falling into the wrong hands, please use the PGP key from the ALOVA.