What you can do to help
a. Act responsibly for the sole purpose of reporting suspected vulnerabilities and safeguarding users from damage, harm or loss.
b. Avoid causing any kind of damage, harm or loss to individuals or organisations (e.g. you should not attempt to test, reproduce or verify the suspected vulnerability, or take any action which may cause interruption or degradation of any Services).
c. Conduct yourself in accordance with applicable laws and regulations at all times. If you have any doubt about such laws or regulations, please seek and obtain professional legal advice. Under no circumstances should you attempt to exfiltrate any computer data or publish details of any suspected vulnerability.
d. Upon detection of a suspected vulnerability, notify us immediately or as soon as practicable by submitting a report to us at <insert email>.
e. Where applicable, provide your name, email and mobile number in the suspected vulnerability report so that we may contact you for clarifications. Include the name(s) and email(s) of other person(s) to whom you may have disclosed the suspected vulnerability.
f. Provide adequate information in the suspected vulnerability report so that we may work with you on validating the suspected vulnerability, including these details (where available):
Description of the suspected vulnerability.
IP address and/or URL of the subject Service.
Configuration and version of the subject software.
Description of the circumstances, including date(s) and time(s), leading to your reporting of the suspected vulnerability.
Description of the reason(s) why you believe the suspected vulnerability may impact the subject Service and the extent of such suspected potential impact (e.g. describe how you believe the suspected vulnerability might potentially operate).
What NOT to do
a. Act in any way which may contravene applicable laws and regulations.
b. Publish or publicly disclose any suspected vulnerability to any third party before it is resolved as malicious actors may exploit the suspected vulnerability to cause damage, harm or loss to individuals and organisations.
c. Deploy destructive, disruptive or other unlawful means to detect vulnerabilities (e.g. attacks on physical security, social engineering, denial of service, brute force attacks).
d. Exploit, test or otherwise use any suspected vulnerability (e.g. taking any step(s) to access, copy, create, delete, modify, manipulate or download any data or programme, build system backdoor(s), modify system configuration(s), facilitate or share system access).
If you are in any doubt about any proposed course of conduct, please contact us immediately at <insert email>
Please note that AITI does not and will not in any way:
a. Accord or provide you with any kind of exemption, immunity, indemnity or shield from civil or criminal liability (if any) under applicable laws and regulations.
b. Be liable for any expense, damage or loss of any kind which you may incur due to any action taken or not taken by us in relation to any suspected vulnerability you may report.
c. Accept or assume any responsibility for the contents of any suspected vulnerability report submitted by you, nor shall our acknowledgment or processing of such report constitute any kind of acceptance or endorsement of the contents therein.
d. Be obliged to consult you for any media or public statement that we and/or any Stakeholders may decide to publish or release in relation to the suspected or validated vulnerability.
e. Provide you with any cash reward or financial incentive of any kind for the detection and/or resolution of the validated vulnerability.