Vulnerability Disclosure Policy

Alex Tech has developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-faith security researchers that are providing us with their expertise.

Legal Posture

Alex Tech agrees not to pursue legal action against individuals who:

  • Engage in testing of systems/research without harming Alex Tech or its customers
  • Engage in vulnerability testing of products without affecting customers (i.e., do not engage in vulnerability testing against their devices/software, etc.)
  • Adhere to the laws of their location and the location of Alex Tech
  • Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires

Reporting security issues

If you believe you have discovered a vulnerability in a Alex Tech product or have a security incident to report, please email us at sales@alex-technology.com or submit via CVD-report form.

What we would like from you

  • Reports should be written in English whenever possible
  • Reports should provide a detailed technical description of the steps required to reproduce the vulnerability, including a description of any tools needed to identify or exploit the vulnerability. Images, e.g., screen captures, and other documents may be attached to reports. It is helpful to give attachments illustrative names.
  • Reports may include proof-of-concept code that demonstrates exploitation of the vulnerability.
  • We request that any scripts or exploit code be embedded into non-executable file types.

What you can expect from us

  • If you choose to share your contact information with us, we will timely acknowledge that your report has been received (generally within 3 business days).
  • To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
  • We will maintain an open dialogue to discuss issues.
  • We will give you credit for discovering the vulnerability in public communications after the vulnerability has been validated and fixed, unless you specify in writing that you would prefer to stay anonymous
  • We will handle your report confidentially and will not share personal details with third parties without your consent, unless obliged to do so pursuant to a statutory provision or a legal ruling.

Questions
Questions regarding this policy may be sent to sales@alex-technology.com. We also invite you to contact us with suggestions for improving this policy.

CVD-report form

With this form you can submit a CVD-report to the ALOVA. Complete the CVD-form with your findings. This form will be sent automatically to sales@alex-technology.com. To prevent the information from falling into the wrong hands, please use the PGP key from the ALOVA.

CVD-report form

Is there a chance of being actively exploited? *
Risk of damage? *

Information about the processing of your personal data

Providing your name and address information is optional. If you wish to be eligible for a reward, we need your name and address to send you the reward. Your data will not be shared with third parties and saved until the report has been processed. Please, be compliant with the international address standard when you write down your address (http://www.upu.int/en/activities/addressing/postal-addressing-systems-in-member-countries.html).

Statement of agreement *