|Applies to Product:||USM Appliance™||AlienVault OSSIM®|
We are always working to improve the security of our products. You, the AlienVault community, aid our ability to deliver secure software for our customers — so thanks in advance!
Discovered a security vulnerability? Disclose it to us through our HackerOne program at https://hackerone.com/alienvault_security. You can find further information of what domains we currently undertake on this page.
What Vulnerability Information Are We Looking For?
When submitting an issue, please provide a technical description that allows us to assess exploitability and impact of the issue, and include the following where appropriate:
- Provide steps and any additional information we may need to reproduce the issue.
- If you are reporting cross-site scripting (XSS), your exploit should at least pop up an alert in the browser. It is much better if the XSS exploit shows the user's authentication cookie.
- For a cross-site request forgery (CSRF), use a proper CSRF case when a third party causes the logged-in victim to perform an action.
- For a SQL injection, we want to see the exploit extracting database data, not just producing an error message.
- HTTP request / response captures or simply packet captures are also very useful to us.
Please refrain from sending us links to non-AlienVault websites, or issues in PDF / DOC / EXE files. Image files are OK. Make sure the bug is exploitable by someone other than the user ("self-XSS").
Note: We are unable to respond to generic scanner reports. If you have had a security practitioner examine a generic scan report and they have isolated specific vulnerabilities that need to be addressed, we request that you report them individually.