Vulnerability Disclosure Policy

Security is of the highest importance to ABAX. We welcome feedback from security researchers and the public, to improve the security of our products and services. ABAX management greatly appreciates investigative work into security vulnerabilities, and we are committed to thoroughly investigating and resolving security issues.

If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our products or services, we want to hear from you.

Purpose with the document

This document defines the process for disclosing possible vulnerabilities relating to ABAX’s products and services, and outlines the steps for reporting vulnerabilities to us, what we expect from you, what you can expect from us, and lastly appreciation of the people who have helped secure our products and services.

If you believe you have found a vulnerability with any of our products or services, please report it in compliance with the guidelines set forth in this document.

We ask that you do not publicise or disclose any vulnerabilities until you have been notified that the vulnerability has been remediated. If you consent, we will acknowledge your efforts in finding the vulnerability in the "Hall of fame" section of this document.

Audience

This policy is intended for any security researcher, white hat hacker or anyone else who believes they have found a vulnerability in any of ABAX’s products or services.

Scope for the policy

Any possible vulnerabilities or security issues relating to ABAX products or services are within scope for this policy. Please do not disclose vulnerabilities related to systems managed or owned by third parties.

Ground rules

Researchers/ Ethical Hackers must not do:

  • Access unnecessary amounts of data. For example, 2 or 3 records is enough to demonstrate most vulnerabilities (such as an enumeration or direct object reference vulnerability).
  • Violate the privacy of ABAX users, staff, contractors, systems etc. For example, by sharing, redistributing and/or not properly securing data retrieved from our Systems.
  • Communicate any vulnerabilities or associated details via methods not described in this policy or with anyone other than Global IT.
  • Modify or use any data in our systems/services which is not your own.
  • Disrupt our service(s) and/or systems.
  • Disclose any vulnerabilities in ABAX systems to third parties. This does not prevent notification of a vulnerability to third parties to whom the vulnerability is directly relevant, for example where the vulnerability being reported is in a software library or framework – but details of the specific vulnerability of ABAX must not be referenced in such reports. If you are unsure about the status of a third party to whom you wish to send notification, please email security@ABAX.com for clarification.

Researchers/ Ethical Hackers must do:

  • All data retrieved is securely deleted as soon as it is no longer required and at most, 1 month after the vulnerability is resolved, whichever occurs soonest.
  • Play by the rules. This includes following this policy and any other relevant agreements.
  • Report any vulnerability you’ve discovered promptly, within 1 month after the vulnerability is discovered.
  • Use only the official channels to discuss vulnerability information with us.
  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope.

If you are unsure at any stage whether the actions you are thinking of taking are acceptable, please contact us.

Test methods:

We ask that you refrain from using unauthorized test methods. These methods include, but is not limited to:

  • Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
  • Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing

Legalities

This control procedure is designed to be compatible with common good practice among well-intentioned vulnerability discovery. It does not give you permission to act in any manner that is inconsistent with applicable laws or cause ABAX to be in breach of any of its legal obligations.

If you follow the guidelines set forth in this document, we will not pursue or support any legal action related to your reported vulnerabilities. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

If you have concerns or are uncertain whether your security research is consistent with this policy, or otherwise wish to provide feedback or suggestions on this control procedure, please contact us at security@ABAX.com before going any further. This control procedure will evolve over time and your input will be valued to ensure that it is clear, complete and remains relevant.

How to report vulnerabilities

If you have discovered an issue which you believe is an in-scope security vulnerability, please email security@ABAX.com, with the following information:

  • the system or service in which the vulnerability exists.
  • a brief description of the class (e.g. "XSS vulnerability") of the vulnerability. Please avoid including any details which would allow reproduction of the issue at this stage. Detail will be requested subsequently, over encrypted communications.
  • the potential impact of exploitation.

Reports should be written in clear and simple terms. And be in English, if possible.

We will then ask that reporters provide a benign (i.e., non-destructive) proof of exploitation wherever possible. This helps to ensure that the report can be triaged quickly and accurately whilst also reducing the likelihood of duplicate reports and/or malicious exploitation for some vulnerability classes. Please ensure that you do not send your proof of exploit in plaintext using email if the vulnerability is still exploitable. Please also ensure that all proof of exploits are in accordance with our guidance (above), if you are in any doubt, please email security@ABAX.com for advice.

Please read this document fully prior to reporting any vulnerabilities to ensure that you understand the procedure and can act in compliance with it.

PGP encryption

To prevent critical information from falling into the wrong hands, we would like, on request, for you to send the specific information regarding the vulnerability by encrypted e-mail. We will ask you to create a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).

You can find our public encryption key here www.abax.com/pgp-key.txt.

What to expect from ABAX

In response to your initial email to security@ABAX.com you will receive an acknowledgement reply email from the case management system.

Following the initial contact, the internal security team will work to triage the reported vulnerability. You can expect a response within 72 hours, with our evaluation of the report, and confirmation to whether further information is required. Any further information required will be requested sent by OpenPGP encryption (our public encryption key is posted in the above-mentioned field)

From this point, necessary remediation work will be assigned to the appropriate IT teams and/or supplier(s). Priority for bug fixes and/or mitigations will be assigned based on the severity of impact and complexity of exploitation. Vulnerability reports may take some time to triage and/or remediate, you’re welcome to enquire on the status of the process, but please bear with us.

Our Security Team will notify you when the reported vulnerability is resolved (or remediation work is scheduled) and will ask you to confirm that the solution covers the vulnerability adequately. We will offer you the opportunity to feed back to us on the reporting process, as well as the vulnerability resolution. This information will be used in strict confidence to help us improve the way in which we handle reports and/or develop Systems and resolve vulnerabilities.

If you do not agree to these terms, please do not send us any submissions, or otherwise participate in this program.

Hall of fame

Hall of fame is where all the people who have helped secure our products and services (published with their consent).

You may receive public recognition if you are the first person to report the vulnerability, the vulnerability is a valid security issue, and you have complied with these guidelines.

Unfortunately, due to internal constraints, it is not currently possible for us to offer a paid bug bounty programme. ABAX management would, however, like to offer our sincere appreciation to those who take the time and effort to investigate and report security vulnerabilities to us according to this control procedure.

Thank you for your effort.