Newsroom Newsroom

Actillity supports Levikom in launching world’s first “open v...

To deliver this ground-breaking business proposition, Levikom is teaming up with Actility, the [...]

Read more
2 h
Aujourd’hui et demain, une agriculture connectée https://t.co/xe1HbB5EGA via @objetconnecte01
22 h
Thx for the mention @frvanitytribune! In B2B we trust :) https://t.co/QQWnDzmJJk

Lattelecom partners with Actility to launch national LoRaWAN™ n...

“The new infrastructure will allow smart devices to be connected to a single network, enabling [...]

Read more

Inmarsat and Actility deliver world’s first global LoRaWAN™ n...

Global IoT network empowers applications in Asset Tracking, Agribusiness and Oil & Gas thanks [...]

Read more

Security

Actility Bounty Program

We’re big believers in protecting your privacy and security. As a company, we not only have a vested interest, but also a deep desire to see the Internet remain as safe as possible for us all.

So, needless to say, we take security issues very seriously. GET UP TO $200 REWARD!

Report major security issues

If you have discovered a vulnerability in Actility or another serious security issue, please contact our dedicated email support security [at] actility (dot) com.

Responsible disclosure

In our opinion, the practice of “responsible disclosure” is the best way to safeguard the Internet. It allows individuals to notify companies like Actility of any security threats before going public with the information. This gives us a fighting chance to resolve the problem before the criminally-minded become aware of it.

Responsible disclosure is the industry best practice, and we recommend it as a procedure to anyone researching security vulnerabilities.

Eligibility

To qualify for a bounty reward you must be the first individual to responsibly disclose the bug, and report a security vulnerability that could compromise the security and/or integrity of Actility services, infrastructure or user data, circumvent privacy protections, or enable unexpected/unauthorized access to systems within Actility. Please note that bugs/security issues previously reported by another participant in the responsible disclosure policy/program will be honored only to the first person that discovered them.

Vulnerability rewards

Compensation

We are happy to receive good reports on security issues, and may reward good reports with monetary rewards, and/or swag. Please note that we do so at our sole discretion, any decisions on rewards are our decision.

Our monetary rewards, up to $200, are based on the severity of the reported issue and the quality of the report. To help you know what to expect, we include some guidelines below. Please understand that we cannot provide an exhaustive list on exactly what will or will not qualify for a reward.

Report major security issues

If you have discovered a vulnerability in Actility or another serious security issue, please contact our dedicated email support security [at] actility (dot) com.

Responsible disclosure

In our opinion, the practice of “responsible disclosure” is the best way to safeguard the Internet. It allows individuals to notify companies like Actility of any security threats before going public with the information. This gives us a fighting chance to resolve the problem before the criminally-minded become aware of it.

Responsible disclosure is the industry best practice, and we recommend it as a procedure to anyone researching security vulnerabilities.

Eligibility

To qualify for a bounty reward you must be the first individual to responsibly disclose the bug, and report a security vulnerability that could compromise the security and/or integrity of Actility services, infrastructure or user data, circumvent privacy protections, or enable unexpected/unauthorized access to systems within Actility. Please note that bugs/security issues previously reported by another participant in the responsible disclosure policy/program will be honored only to the first person that discovered them.

 

Vulnerability rewards

Compensation

We are happy to receive good reports on security issues, and may reward good reports with monetary rewards, and/or swag. Please note that we do so at our sole discretion, any decisions on rewards are our decision.

Our monetary rewards, up to $200, are based on the severity of the reported issue and the quality of the report. To help you know what to expect, we include some guidelines below. Please understand that we cannot provide an exhaustive list on exactly what will or will not qualify for a reward.

Rules of engagement

We are interested in hearing about security issues on all Actility properties, including our core software and web serviceshosted by Actility.

To be eligible for a reward, note that we typically require the issue report to have some actual security impact in a realistic scenario. This does not mean you need to fully exploit issues, just provide the information you have, and we will analyze your report and draw conclusions on the impact.

There are some things we explicitly ask you not to do:

  • When experimenting, please only attack test accounts you control. A PoC unnecessarily involving accounts of other end users or Actility employee may be disqualified.
  • Do not run automated scans without checking with us first. They are often very noisy.
  • Do not test the physical security of Actility offices, employees, equipment…
  • Do not test using social engineering techniques (phishing, vishing…)
  • Do not perform DoS or DDoS attacks.
  • In any way attack our end users, or engage in trade of stolen user credentials.
  • Please note that as from 1/1/2016, the following is excluded from the bounty policy:> Actility.com corporate web site
    > Unlimited password retry issues
    > CSRF issues (stored CSRF is accepted as valid under bounty program)
    > XSS issues (stored XSS is accepted as valid under bounty program)

Reporting procedure

When reporting a security issue, please include the detailed CVSS analysis of the problem. For more details on CVSS scores, please refer to http://www.first.org/cvss

Only issues with a proven CVSS score above 5.0 will be rewarded by the bounty program

See example below

Low or no impact

We receive a large number of reports with low to no impact. We are happy to receive reports, but please be aware that these issues rarely constitute security issues, and thus are typically not rewarded:

  •  Descriptive error messages
  •  Testing the existence of registered username / email
  •  Non-200 HTTP response codes
  •  Clickjacking
  •  Attacks requiring users to run out-of-date software
  •  CSRF without impact (e.g., an anonymous contact form, or logout CSRF)
  • Lack of secure/httpOnly on non-sensitive cookies
  • Unvalidated claims that cookies or other secrets “may be guessable”
  • Browser cache issues
  • Attacks requiring access to a victim’s email account
  • Attacks requiring a large amount of user cooperation, such as volunteering critical information to the attacker.
  • Copy-pasted report of low impact issues from an automated scanner without sanity checking or analysis for relevance.

Credit where it’s due

We’d like to publicly thank the following people for their help in reporting security issues to us. We’re very grateful for their assistance.

 

 

Owais Ahmed Siddiqui Ishan Anand Prince Rawat Haq Khokhar Mohd Haji
Vicky Vk Kenan G Ala Arfaoui Trotmaster