At Aqtos we care about security, a lot.

We want to hear from security researches on vulnerabilities on our website or products, but we have to setup some ground rules.

Reporting an issue
If you’ve found a security bug or vulnerability under the ground rules set on this page, please email us at [email protected] with:

  • Short description of the issue,
  • Its importance level,
  • Detailed steps to reproduce the issue,
  • Your environment details,
  • Any proof-of-concept code.

Our team will investigate the issue upon receiving your email and keep you informed about the progress. We might contact you for additional information. Once resolved, we will inform our customers.

Rewards for Reporting
At this moment, we do not offer financial rewards for vulnerabilities.

What is fair-game:

  • Authentication bypass.
  • Privilege escalations.
  • Exposure of personally identifiable information (PII).
  • Unauthorized data access outside authenticated workspaces.
  • SQL injection and remote command execution.

In Scope for Testing

Out of Scope Activities

  • Automated scanning.
  • Social engineering, especially targeting Aqtos employees or contractors.
  • DoS/DDoS attacks.
  • Physical access-based attacks.
  • Theoretical vulnerabilities without practical exploitability.
  • Man-in-the-middle attacks.

Guidelines for Researchers

  • Test only with your account or explicit consent.
  • Avoid privacy violations, data copying or destruction, and service disruptions.
  • For obtained remote access, refrain from expanding or elevating privileges.
  • Keep the vulnerability confidential until reported to us and allow adequate time for resolution.

Safe Harbor Statement
Activities in line with this policy are authorized. We will not pursue legal action for such actions if rules are followed and best-practices are used for reporting the vulnerability. If a third party initiates legal action against you for activities under this policy, we will clarify that your actions were compliant with our policy.

To top