Actility red and blue logo

Welcome to Actility Bug Bounty

Our security team constantly works at keeping customer information secure. We recognize the important role that independent security researchers and our user community play in helping to keep Actility and its users secure. If you discover a vulnerability, please notify us using the guidelines below.

Our commitment​

We will respond to your submission as quickly as possible.

As we work to fix the bug you submitted, we will keep you updated.

If you play by the rules, we will never take legal action against you.

Guidelines​

Actility will pay a bounty for certain security bugs, as detailed below. All security bugs should follow the following general criteria to be eligible:

  • Security bugs must be original and previously unreported.
  • Security bugs must be a remote exploit, the cause of a privilege escalation, or an information leak.
  • Submitter must not be part of Actility’s team or any of its subcontractors.

Rules

  • Don’t attempt to gain access to another user’s account or data
    • Create as many accounts as required to proceed with your attempts
  • Don’t perform any attack that could harm the reliability/integrity of our services or data
    • DDoS/spam attacks are NOT accepted
  • Wait until a bug is fixed if you want to disclose it
    • Feel free to ping our security team if you want to query the status of a bug report
  • Only test for vulnerabilities located on Actility’s technologies
  • Do not impact other users with your testing
  • Do not use scanners or automated tools to find vulnerabilities
    • We ask you to demonstrate the vulnerability with a valid/reproductible example
  • Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our users, employees, or infrastructure
  • When in doubt, contact us

Claiming A Bounty​

To claim a bounty :

  • If you have a Yogosha’s account, you can directly submit your vulnerability report on our Bounty Program
  • Otherwise, please submit an email to security-actility@yogosha.com describing the vulnerability you found, using the PGP Key 0x6EE858D6 if your email contains sensitive information. They will contact you and guide you through their vulnerability reporting process
  • Properly describe the security issue and its impact on our system
  • Attach a concrete and detailed “proof of concept” and rate your Bug’s criticality using CVSS.

Please be available to follow along and provide further information on the bug you discovered as needed, and work with Actility’s engineers in reproducing, diagnosing, and fixing the bug.

Rewards

The bounty for a valid and potentially exploitable security vulnerabilities will be between 50€ and 200€ cash reward. The bug bounty encourages the earliest possible reporting of these potentially exploitable bugs. We reserve the right not to pay bounties for security bugs in or caused by additional third party software.