Responsible Disclosure Program

Introduction

At AHEAD, we believe that security is a collaborative effort. Engaging directly with our customers and the broader security community is integral to fostering a secure environment for everyone who relies on our products and services. Collaboration and transparency lie at the heart of our commitment to continually improve and transform our security practices.

If you are a security researcher and believe you have discovered a security vulnerability in an AHEAD product, service, or application, we encourage you to report it to us promptly. We request that any such findings remain confidential until we have resolved the issue to ensure the safety and privacy of our users.

AHEAD will review your reports diligently and respond in a timely manner. Our vulnerability disclosure partner will assist us in triaging submissions to ensure efficient processing. AHEAD will not pursue legal or law enforcement actions against you for responsibly reporting security vulnerabilities, provided that you adhere to the policies outlined in this program. Specifically, we ask that you:

  • Comply with the policies and guidelines of this Vulnerability Disclosure Program.
  • Follow the Standard Disclosure Terms of our vulnerability disclosure partner.
  • Do not compromise the privacy or security of any individuals.
  • Refrain from destroying or retaining sensitive data obtained during your research once the vulnerability has been resolved.
  • Agree to and comply with the AHEAD confidentiality terms stated below.

Confidentiality

By participating in this program or submitting a security vulnerability to AHEAD, you agree to adhere to the following confidentiality provisions:

  • All information related to the vulnerability, including the methods used to discover it, must remain confidential.
  • You must not disclose, share, or publish the details of the vulnerability in any format until you have received written confirmation from AHEAD that the issue has been resolved and disclosure is permissible.
  • Any sensitive or private data collected during your investigation must be securely deleted once the vulnerability has been addressed.

Scope of the Program

This program applies to vulnerabilities found within AHEAD products, services, and applications. It does not cover vulnerabilities discovered in third-party integrations or external services unless explicitly stated. Any submission outside of this scope will be reviewed but may not qualify for official recognition or rewards.

Scope of Interest

We invite reports on the following categories of vulnerabilities:

  • Sensitive data exposure, including cross-site scripting (XSS) stored, SQL injection (SQLi), etc.
  • Authentication or session management issues
  • Remote code execution

Additionally, we welcome insights into innovative vulnerabilities or unique issues that do not fit into the aforementioned categories. Please share any exceptional findings you may have.

Out of scope

The following vulnerability categories are outside the scope of our responsible disclosure program:

  • Denial of service (DoS) through network traffic, resource exhaustion, or other methods
  • User enumeration
  • Issues occurring in outdated browsers/plugins or end-of-life software browsers
  • Phishing or social engineering targeting AHEAD employees, partners, or customers
  • Systems or issues related to third-party technology used by AHEAD
  • Disclosure of known public files and other information disclosures that do not pose a material risk (e.g., robots.txt)
  • Any attack or vulnerability contingent on the initial compromise of a user’s computer

Researchers are expected to engage in security research responsibly. For instance, if a publicly exposed password or key is found, it should not be used to test its access extent or to download/exfiltrate data to prove its functionality. Similarly, upon discovering a successful SQL injection, researchers should not exploit the vulnerability beyond the necessary steps for demonstrating proof of concept.

Excessive exfiltration or downloading of AHEAD data, or demanding payment in return for the destruction of AHEAD data, is considered outside the scope of this program. AHEAD reserves all rights, remedies, and actions to protect itself and its users.

Commitment to the Security Community

AHEAD appreciates the dedication of the security community and recognizes the value of ethical research in improving the safety of technology systems. We are committed to fostering a positive and collaborative relationship with researchers and users who contribute to our security efforts.

Contact Information

Please use our form below to report a security issue to AHEAD.