Avanade Vulnerability Disclosure
The following Vulnerability Disclosure Guidelines describe the voluntary program through which Avanade will engage with parties who identify and report to Avanade potential security vulnerabilities. These Vulnerability Disclosure Guidelines offer direction for identifying and submitting information regarding potential vulnerabilities to Avanade and apply only to disclosure of potential vulnerabilities affecting systems owned or controlled by Avanade; not to those affecting any other systems, including those owned or controlled by any Avanade clients, business partners, or others.
Vulnerability Disclosure policies
Avanade does not provide compensation in exchange for information pertaining to security vulnerabilities under this Vulnerability Disclosure Program.
Avanade may choose not to pursue, contact, or otherwise interact with reporters who decline to identify themselves when making the report.
Avanade will deal in good faith with reporting parties who comply with these Vulnerability Disclosure Guidelines.
Avanade may choose to disregard submissions by parties who submit a high volume of low-quality reports.
Research and vulnerability disclosures
For parties who conduct security research and vulnerability disclosure activities in accordance with these Vulnerability Disclosure Guidelines, (1) Avanade will not initiate or recommend any law enforcement or civil lawsuits related to such activities, and (2) in the event of any law enforcement or civil action brought by anyone other than Avanade, Avanade will take reasonable steps to make known that the activities of the affected parties were conducted pursuant to and in compliance with these Vulnerability Disclosure Guidelines.
Activities conducted under these Vulnerability Disclosure Guidelines must be limited exclusively to the following:
- Testing to detect a potential vulnerability or to identify an indicator related to a potential vulnerability; or
- Sharing information with Avanade, or receiving information from Avanade, related to a potential vulnerability.
Avanade does not authorize, permit, or otherwise allow (expressly or impliedly) anyone to engage in any illegal activity. If you engage in any activities that are inconsistent with these Vulnerability Disclosure Guidelines or any applicable law, you may be subject to criminal and/or civil liabilities.
- Parties conducting activities subject to the Vulnerability Disclosure Guidelines must do no harm, including but not limited to exploiting any security vulnerability beyond the minimal amount of testing required to demonstrate that a potential vulnerability exists; intentionally accessing the content of any communications, data, or information transiting or stored on Avanade network(s) or system(s); compromising the privacy or safety of Avanade employees, Avanade customers, or any third parties; intentionally compromising the intellectual property or other commercial or financial interests of Avanade, Avanade employees, Avanade customers, or any third parties; posting, transmitting, uploading, linking to, sending, executing, or storing any malicious software on any Avanade network(s) or system(s).
- Reporting parties must allow Avanade an opportunity to correct a potential vulnerability within a reasonable timeframe before publicly disclosing the identified issue, to ensure that Avanade has developed and thoroughly tested the solution to such issue.
- Parties conducting activities under this Vulnerability Disclosure must comply with all federal, state, and local laws applicable with security research activities or any other activities under these Vulnerability Disclosure Guidelines.
- To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of any non-Avanade entity, such non-Avanade entity may independently determine whether to pursue legal action or remedies related to such activities.
Vulnerability Disclosure reporting process
Reporting parties are encouraged to submit via the submission form (operated by an independent third party, Bugcrowd). This process is managed exclusively by Bugcrowd, through which you must accept the terms and conditions if you wish to proceed.
Vulnerability Disclosure reporting instructions
Your report must include the following information:
- Submission title
- Vulnerable target
- Vulnerable Rating Taxonomy category
- Vulnerability description
NOTE: Avanade reserves the right, in its sole discretion, to modify the terms of these Vulnerability Disclosure Guidelines or to terminate any or all of them at any time.