Security

Vulnerability disclosure policy

Version: 8 May 2025

1 Introduction

(a) Engaging with any security-minded person that has found a vulnerability on our site is the purpose of this communication channel, and we thank all good faith actors that do so.

(b) Unfortunately, we do NOT offer any financial compensation for those finding potential or actual vulnerabilities.

2 Scope

(a) This policy applies to the lawful access of any product, website or service owned, operated, or maintained by Allette Systems.

(b) Unless there is a written agreement to covering them, digital assets that Allette does not own, are out-of-scope for this policy.

(i) Report the discovery, or suspicion of a vulnerability on an out-of-scope systems to the appropriate vendor or applicable authority.

3 Reporting process

(a) The address for reporting a vulnerability is security@allette.com.au. Please provide the detail necessary to reproduce the issue.

(b) Please do not make your research public before we have time to investigate, repair, or otherwise mitigate the problem.

4 Our commitment to the process

When working with us, you can expect us to:

(a) Promptly acknowledge your engagement, and work with you to understand and verify the issue;

(b) Continue to provide you with updates of our progress;

(c) Resolve the issue with the urgency commensurate with the risk it creates;

(d) Agree upon a date for public disclosure;

(e) Provide appropriate credit for discovering the vulnerability unless you prefer anonymity; and

(f) Extend Safe Harbor for your research as it relates to this policy.

5 Our request to contributors

Thank you for helping, to ensure that your contribution delivers a positive outcome, we ask that you:

(a) Continue to communicate through the official channel, and to give this policy priority over any other agreements;

(b) Allow us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before disclosing anything publicly, and for confidential or private data, please do not access or disclose any of it;

(c) Avoid violating the privacy of others, disrupting our systems, destroying data, and notify us immediately If you encounter any Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;

(d) Access only the test accounts, and minimum amount of data necessary to demonstrate the issue.

(e) Whether seriously, or in jest, do not make any reference to crimes such as extortion. Our insurance and customer agreements require that any connection between be treated as a threat.

6 Safe harbor

(a) When conducting vulnerability research, according to this policy, we consider that research conducted under this policy to be:

(i) Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;

(ii) Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;

(iii) Exempt from restrictions that may be in the Terms of Service or Acceptable Usage Policy that would interfere with conducting security research, and we waive those restrictions on a limited basis; and

(iv) Lawful, helpful to the overall security of the Internet, and conducted in good faith.

(b) The expectation is that contributors will comply with all applicable laws, but when research leads to activity that may be contrary to a law, but this there is compliance with this agreement, Allette will make all reasonable effort to defend contributors.

(c) If in doubt regarding your security research and legal consequences, before going further, please contact us through our Official Channels. If your research is interesting, we may offer to provide an environment for you to continue working without without any legal jeopardy.

Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy. Allette does not represent the interests, or products, of independent third parties.

7 People who have disclosed vulnerabilities to us

Below are the names or aliases of people who have identified and disclosed vulnerabilities to us:

  • Gaurang maheta
  • Devansh