Ethical Hacking & Avatao’s Responsible Disclosure Policy

Avatao.com Learning Ltd. (from hereinafter: “Avatao”) finds it important that clients can use our online services, platforms and applications safely and in a secure manner at all times. Despite all the efforts to keep our IT systems secure, you may discover security vulnerabilities in our internet-facing IT environment. We would appreciate your help disclosing this information to us in a responsible manner.

What to report?

The Responsibility Disclosure Policy reports vulnerabilities with regards to the safety of Avatao services offered through the internet. In the case that you have discovered a vulnerability in our system, please report this by sending an email to security@avatao.com

What security@avatao.com is not used for?

Reporting issues, problems or errors regarding our marketing website (https://avatao.com/) – please use it only regarding vulnerabilities on our platform (https://next.avatao.com)
Reporting complaints about Avatao services
Questions and complaints about the availability of Avatao’s services
Reporting fraud or presumption of fraud
Reporting fake emails, spam or phishing emails
Reporting malware

How can vulnerabilities be reported?

A vulnerability can be reported by email: security@avatao.com. Please ensure that your email is written in clear and understandable English. Particularly include the following in your email:

The entire URL
Description of the vulnerability
The steps that are performed (Proof of Concept)
A possible attack scenario
Screenshots (if necessary)

Our specialists will read your report and start working on it immediately. If you found a vulnerability in our web applications, please do not hesitate to contact us.

Rules

When researching our systems, always act in good faith. You must use discovered vulnerabilities only for your own investigation. Keep the discovered vulnerability confidential until you have agreed upon when and how to disclose the vulnerability with Avatao.

We do not allow you to do security research on our systems and (online) applications that would materially adversely impact the performance or availability.

Please be advised, that currently, we do not offer any form of bounty for any findings. We are not planning on implementing a bounty system anytime soon.

Your Privacy

We respect your privacy. We will only use your contact information for communication with you during the responsible disclosure procedure. We will not pass on your personal details to third parties without permission.

Can I report anonymously?

It is possible to report vulnerabilities anonymously; you do not have to supply contact information when you report a vulnerability.

International Law

We would like to point out that this responsible disclosure policy is governed by Hungarian law. If you are located in a different country, keep the applicable local law in mind, as other countries may have different laws regarding responsible disclosure. This could mean that you will be subject to local legal recourse or may be subject to agencies enforcing such different local law, even if Avatao does not seek legal recourse or file a report at a law enforcement agency.

Hungarian Law

If you discover a vulnerability and investigate it, you might perform actions that are punishable by law. If you abide by the rules of our responsible disclosure policy for reporting the vulnerabilities in our systems, we will not report your offence to the authorities and will not submit a claim.

It is important for you to know, however, that the public prosecutor’s office (“Ügyészség”) – not Avatao – will decide whether or not you will be prosecuted, regardless of whether Avatao files a report to the Hungarian authorities. Avatao neither represents nor guarantees that you will not be prosecuted if you commit a criminal offence when investigating a vulnerability.

The European Union Agency for Cybersecurity has created a “good practice guide on vulnerability disclosure”. Our rules are based on these guidelines.

This Vulnerability Disclosure Policy has been updated on May 31, 2021.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.