Responsible Security Disclosure Program

Program Details

Thank you for your interest in the Atomicwork Security Disclosure Program. We are grateful for your help in making our platform as secure as possible.

External security testing is an important part of the process and makes Atomicwork a safer platform. We are committed to working with researchers to verify, reproduce and respond to legitimate reported security vulnerabilities. You can submit a vulnerability withsecurity@atomicwork.com

‍

Response

Someone from our security team will be in contact with you via email, in the next few days to confirm that we have received your report. After the report has been reviewed, you will receive an email detailing our findings, as well as if your report is unique. We are constantly receiving reports, so it may take us a few days to review your case. Thank you for your patience in advance.

If a vulnerability is reported that affects a third-party, Atomicwork reserves the right to forward the details of the issue to that third party without informing the researcher. We will try to communicate throughout the process as best we can.

‍

Guidelines

When submitting a vulnerability, be sure to add any screenshots, URLs or code that are specifically applicable to the vulnerability, how it's used and most importantly, how to reproduce it. Please also include any step by step description of your findings.
‍

Responsible Disclosure Guidelines

We will investigate received reports and make every effort to correct vulnerabilities quickly. To encourage responsible reporting, we will not take legal action against you provided that you comply with the following Responsible Disclosure Guidelines and other rules of this program:

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
• Do not modify or access data that does not belong to you.
• In cases where potential data modification is possible, contact: security@atomicwork.com and we will work with you to reproduce the vulnerability in a safe environment.
  ‍

Exceptions - Issues outside the scope of this program

• Broad security concepts without specific information pertaining to Atomicwork or our platform
• Open redirects (through headers and parameters) / Lack of security speedbump when leaving the site
• Internal IP address disclosure
• Accessible Non-sensitive files and directories (e.g. README.TXT, CHANGES.TXT, robots.txt, .gitignore, etc)
• Social engineering or phishing attacks
• Self XSS
• Text injection
• Email spoofing (including SPF, DKIM, DMARC)
• Fingerprinting/banner disclosure on common or public services
• Clickjacking and issues only exploitable through clickjacking
• CSRF issues that don't impact the integrity of an account (e.g. log in or out, contact forms and other publicly accessible forms)
• Lack of rate limiting or other missing DOS protections
• HTTPS mixed content scripts
• Missing HTTP security headers
• Denial of Service attacks
• Lack of MFA
• Use of a known-vulnerable component (exceptional cases, such as where you are able to provide proof of exploitation, may still be in scope)

‍

Submission

Click here to submit a vulnerability report