Welcome to AlienNation. We're on a mission to provide organizations throughout the universe with highly intelligent security that is affordable and simple to use.
To help out with our goals here at AlienVault, we look to our fellow security professionals inside and outside of the mother-ship. No technology is perfect after all, and AlienVault believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. AlienVault will make a best effort to respond to incoming reports within 2 business days. We’ll try to keep you informed about our progress throughout the process.
Eligibility & Disclosure Policy
Follow HackerOne's disclosure guidelines (https://www.hackerone.com/disclosure-guidelines).
Please provide detailed reports with reproducible steps.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
For now, only the following properties are in scope. We are starting small and will scale up over time. Keep an eye open for when we expand to further our domain testing and product testing.
www.alienvault.com - The actual website for alienvault itself.
update.alienvault.com - Update server for alienvault product.
data.alienvault.com - This is used for licenses and USM5 updates.
threatcrowd.org - Search engine for threats.
staging.alienvault.com - Utilized for demo staging.
Out of Scope
Following items are out of scope for the time being and Alienvault does not wish to receive reports on them.
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Clickjacking on pages with no sensitive actions.
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Otx.alienvault.com is out of scope, but in the case you are exploring please take note. While testing the otx.alienvault.com site, if you visit a threat feed and are using Burp Suite or some other web crawler searching for links, your web crawler will make requests to malicious links and potentially download malware. Thank you swelcher for pointing this out.
Thank you for helping keep AlienVault and our users safe! And thank you again for your contributions to a safer and more secure community.
Hall of Fame