Responsible Disclosure Program
Guidelines
- Please avoid any privacy violations, degradations, and disruption to the availability of our production systems during your testing.
- Do not attempt to brute-force or spam our systems.
- If the identified vulnerability can potentially extract information about our customers or systems, or impair our systems' ability to function normally, then please refrain from actually exploiting such a vulnerability. This is necessary for us to consider your disclosure a responsible one.
- Please keep your disclosure confidential between yourself and ActivTrak until we resolve the issue.
- We will update each submission with significant events, including confirmed validation, information requests, and if you have qualified for a reward or recognition.
- We will do our best to fix issues in a short timeframe.
- Submissions may be closed if a reporter is non-responsive to requests for information after seven days.
Scope
The following are in scope as part of our Responsible Disclosure Program:
- The ActivTrak web application at: https://app.activtrak.com
- The Corporate web site at: https://www.activtrak.com
- The Agent downloaded from an application instance at: https://app.activtrak.com
- The Browser Extension found at: https://chrome.google.com/webstore/detail/activtrak-agent/onaoeoekeoebnkagnlhoojobfhemoldp
The following are not in scope as part of our Responsible Disclosure Program:
- Our “Create Free Account” form and all forms on www.activtrak.com
- Our Careers page on https://www.activtrak.com/careers/
- Our ActivTrak Help Center on https://support.activtrak.com/hc/en-us
- Vulnerabilities identified with automated tools (including web scanners) that do not
include proof-of-concept code or a demonstrated exploit. - Third-party applications, websites or services that integrate with or link to ActivTrak.
- Discovery of any in-use service (vulnerable third-party code, for example) whose running version includes known vulnerabilities without demonstrating an existing security impact.
- Findings derived primarily from social engineering (e.g., phishing, vishing).
- Functional, UI, and UX bugs and spelling mistakes.
- Network-level Denial of Service (DoS/DDoS) vulnerabilities.
- Our mail servers or MX records.
Vulnerability Submissions
Please report any security issues you find to [email protected]. If your submission contains any sensitive vulnerability information, please encrypt it using our PGP public key
at the bottom of this page.
Please include the following in your submission:
- Your name and contact information.
- Company name (if applicable).
- A detailed description of the potential vulnerability.
- Exact steps to reproduce the issue, including any associated URL and parameters
demonstrating the vulnerability. - The relevant details of your system’s configuration, such as any browser or user-agent
information and operating system version. - Your IP address and ActivTrak account, so we can coordinate your activity with our logs.
Reward
We may grant an award after verifying that the vulnerability is reproducible, unique, and can impact our customers. Each submission will be evaluated case-by-case. The decision and amount of the reward will be at our discretion. Even if we cannot offer monetary compensation, we would be glad to publicly acknowledge your contribution in the Hall of Fame section on our website with your permission.
Thank You
We want to make sure to sincerely thank you for your disclosing responsibly and working with us to improve our security. We understand the work and talent you’ve put into finding these issues and appreciate you reaching out to us.
Our PGP Key
If you are submitting sensitive vulnerability information or wish to communicate with us privately about your concern, you can use the following PGP key to encrypt your message.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGCJzL4BEADwhR63jB2/N9CI+kykQI5ouTOV0tcPgmi3xrl2f9wWgzFtBAtR VZXaEks1rsDTbKYV7yztu5c24txPxKIxwjhuuG6d/ldAV178gBCzJaT9LACr193R cubvW0S60/dtcf4q3F8Nh9c65zAYNi8j2DOinM8ygeegPAH1fPy7CIqCliMZSc+p xlTU66czQyoggE8nKRO3GWnhocMzIDxXujCrAF/Hmg0EyWcPcvy1uhRSjbkG6I8W jCzzLorQVmO1ckAeiRzANzg/OBz9b16UQExWSudPGqjJnj4lmrQDbEsOAsfF15xx Yuy5Z/eDKCP5usHYeCOvmZWlIdT9UdKaqKTBj58fnc6ITUnA7LAkjoW6RhhexksM t0Z2NtDl+tChrgAJq8hLmkQWx0KYn+R39OH/MS/1BJUaMK+Z7gA91nNr34uZd54o YJi3ijxTSIeNRnxksrNyJ66F7jtCPDYFAxi7FCGCdkb6oRog1eGRAvcW+0Pwvhn7 I37TkPyMW3q+g1Al+boM4rFSXFwFbk/pkJi1AaWBSZdPEVeULIwSNeoqLB1srRoY mE8vT4fQr/FuzZDsoIYEZ7XPg1tnkWNEfJ9fKsGLjbuZd1koVzDvWManyyUrknO4 KS2iueoOOE2JiUoEWXYDP4V6wxRF2aIVomLK6HYud67utT9G2eJ7e1ehQQARAQAB tCtBY3RpdlRyYWsgU2VjdXJpdHkgPHNlY3VyaXR5QGFjdGl2dHJhay5jb20+iQJU BBMBCAA+FiEEAsZ+s8bhxqlxw5Pm69F3X0L/1WoFAmCJzL4CGwMFCQeGHzEFCwkI BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ69F3X0L/1WpMjg//ezvZov4TTjzCM/8H wJCWhk5FnVGaU62rNIDOQ7lUrP1SHDLCI7nHXJ3KWOfgtKiluA900yL7PnDk+2p4 Cb7bLk85d+Oko0KVwB4M4QtG35Gh0J5Kz04tl66Dm2KgaqYDYPSkA3XWD6kaCp8O Em4fYb/hCwcyULn0+wHSIaBpcWkc1DRGClhU4AzdHcanW0zphx9IRaSz+ih8VaC5 FXxLVWkrEvJLsp0EHHfohpg9ldB4PKudV42PGAJtOQFPyEb6nldxC54FuYP+tpAf hqVMm/F/h/ArvBjyEyhP/a2lO0e0Qkt/s5q6T8Ov5b93AW+5CpCEgIcG6gPxD+cS sA6o0SIumjlkNMkcQHRL8UzlzTf7HoJJkBplTm0EFtPBP6bhwORNIupl9YMyITDF ilJD6Vq71DKfGYSOisKWoTVJSnTLPdOtcXcftLCzg+f8QqQ9H4QPPONjiQyfySLZ /5XCAPTOR3bf1xkroZsmA5p+j/pivfjKLy478OU5lA/yuW/6wc77AV1RHnG+LMbb SLsvmWVuH8Kh+m3oKLboJkeStCpv05R1D7u/pKQDbKNKYP+PeoNWYP4pzVkRiT5D 641h+g+FL1nzWSB2wpz8xsjhUUI22OKp0CkN8ERS+7WJVUlFx4ZutxxIsxufQT4B mxpTfprXm53n8xY2tvjfLLTF66y5Ag0EYInMvgEQAOUNcb0jjObF/ttQewvSIQnZ NDHfXFBwCw/gkKLCcgCTAS6sBmV1ptVMRgjaPoEs5cpnvzwGpEzCql7INhRgGV9Y +8zJI8H6hRX6OvvrAOAh8W46Jvgc4G0iHi3d14G0AGXIkLjD9v/VRl2zK7G8t0HX wKySb5caCutemfPwGbJVFHaBwQkaIw/NY/FAGB9ypG3pa8nFFHdaOWtgon5XDcgB css5PzLmpQw8Igi5L97zi7SAbtZquW7NYJpOCUerv4F7u1M7391xTaL1pIDXvK/k P4BWCCySeUhgr8lsmA1/038kYvY/keJiyH3nZkZ0VHV2fwt3F/Rb+s6eO5xaW54n gQwoLZvBMO3vIo+fxUSS8W0q5lW4+970b4qTpOgz1kAlEbQbZCxsVVwV7vCfnYMO 5w5342zSNCTRHdrmnHnnmzy1qm/gaAgTkzzTUbP5lZgac2xeqGBJJBkyhzZEx8E8 gFrs1vKYRoazuqWobBIGxGGm5CFgqz4T1b964m9iE5DGmu6kpGLTFLnCYDnQEbTo CLyT97LmezGJlWl7hlvgELUqP9VlEZ7VrsPRIXyoqhARDkx89TVc1BW+fOdldRNt QLrErQ425kTVxU8+PxOuAcUkYc7H2pp+32yYGfQfwxLUhMXFCAhTSenlmDL0WNKp cp4r1Rc1hLwyT38anF1LABEBAAGJAjwEGAEIACYWIQQCxn6zxuHGqXHDk+br0Xdf Qv/VagUCYInMvgIbDAUJB4YfMQAKCRDr0XdfQv/VaoneD/9rwkTo1B+tJEQGw+N8 oSygXlKagOqEhDyShuYmN0mmpvqgOuxeZ7fGndk8dRv4VlmsliAEmMaBqW/5u5nT YjahEsbWmXfp3F+yRtEZrFaVvQh5l262r5yYZ3+geTutVpEPBqd9ADvA2n53kcJf 6PlDS13lvCZHoH2LkKvPu+WrQl5mtetDwnySAEYeIZ9ct/Nq+T6l3u3VfjlZ61h/ FV5kXXKLsRiNrasJiFkBIhPsHrjSBpxafnxDZc+2Vqgv9DtRnCVqgVNO35n13UQK JqP2uUSzAI9DR7Y3k2A5FM3o8GA9oT0SeK262mn5r4IZ04cLfNB1hAAfUd8YVZbv RyNuTZe27IpwzS/XUkbcN3DGrq8Pf1zRaBF/CPzBkg7VF2NtnEyMj2sAX01P8fF9 p5lj7jto+P6pH/cX+0Istb8FSbtX0P9FExQ6eoCw1DThvAbF2h0F1gnaLal+fYht XO+hXzLUGPmYdqp3B6s4zxkBS8ekvNeJjPeP2+WvSGNhiWTaOX6tOiiglV+lfsKq HYjYNSZI4E+gStiBEj1aO2zK+baDWyC05NaaW+sFCimsrM5Wm7QUXysyMo/UAcLp wGV61fcVbCPFRPgrVPfJbjvkEg8v4st4dcIox1VscFds7od9/YC8VjQj8L81vTOZ tJtq+zIyu829sDo7jyEXGXmICw===E0Ze
-----END PGP PUBLIC KEY BLOCK-----
Copy PGP Public KeyHall of Fame
Shashank Bhure
Sanket Ambalkar
Mehedi Hasan
Abhay victor
Krutika Tupkar
Yash Dharmani
Kanishkaran Srinivasan
Ali Hassan Kanishkaran
Nabin Ghimire
Pankaj lakshkar
Jatin Yadav
Varad Magare
Mohammed ELdawody