Ethical hacking & Avatao’s Responsible Disclosure Policy

Avatao.com Learning Ltd. (from hereinafter: “Avatao”) finds it important that clients can use our online services, platforms and applications safely and in a secure manner at all times. Despite all the  efforts to keep our IT systems secure, you may discover security vulnerabilities in our internet-facing IT environment. We would appreciate your help disclosing this information to us in a responsible manner.

What to report?

The Responsibility Disclosure Policy reports vulnerabilities with regards to the safety of Avatao services offered through the internet. In the case that you have discovered a vulnerability in our system, please report this by sending an email to security@avatao.com

What security@avatao.com is not used for?

  • Reporting issues, problems or errors regarding our marketing website (https://avatao.com/) – please use it only regarding vulnerabilities on our platform (https://next.avatao.com) 
  • Reporting complaints about Avatao services  
  • Questions and complaints about the availability of Avatao’s services 
  • Reporting fraud or presumption of fraud 
  • Reporting fake emails, spam or phishing emails 
  • Reporting malware

How can vulnerabilities be reported?

A vulnerability can be reported by email: security@avatao.com. Please ensure that your email is written in clear and understandable English. Particularly include the following in your email:

  • The entire URL 
  • Description of the vulnerability 
  • The steps that are performed (Proof of Concept) 
  • A possible attack scenario 
  • Screenshots (if necessary)

Our specialists will read your report and start working on it immediately. If you found a vulnerability in our web applications, please do not hesitate to contact us.

Rules

When researching our systems, always act in good faith. You must use discovered vulnerabilities only for your own investigation. Keep the discovered vulnerability confidential until you have agreed upon when and how to disclose the vulnerability with Avatao.

We do not allow you to do security research on our systems and (online) applications that would materially adversely impact the performance or availability.

Please be advised, that currently, we do not offer any form of bounty for any findings. We are not planning on implementing a bounty system anytime soon.

Your Privacy

We respect your privacy. We will only use your contact information for communication with you during the responsible disclosure procedure. We will not pass on your personal details to third parties without permission.

Can I report anonymously?

It is possible to report vulnerabilities anonymously; you do not have to supply contact information when you report a vulnerability.

International Law

We would like to point out that this responsible disclosure policy is governed by Hungarian law. If you are located in a different country, keep the applicable local law in mind, as other countries may have different laws regarding responsible disclosure. This could mean that you will be subject to local legal recourse or may be subject to agencies enforcing such different local law, even if Avatao does not seek legal recourse or file a report at a law enforcement agency.

Hungarian Law

If you discover a vulnerability and investigate it, you might perform actions that are punishable by law. If you abide by the rules of our responsible disclosure policy for reporting the vulnerabilities in our systems, we will not report your offence to the authorities and will not submit a claim.

It is important for you to know, however, that the public prosecutor’s office (“Ügyészség”)  – not Avatao – will decide whether or not you will be prosecuted, regardless of whether Avatao files a report to the Hungarian authorities. Avatao neither represents nor guarantees that you will not be prosecuted if you commit a criminal offence when investigating a vulnerability.

The European Union Agency for Cybersecurity has created a “good practice guide on vulnerability disclosure”. Our rules are based on these guidelines.

 

This Vulnerability Disclosure Policy has been updated on May 31, 2021.

© 2021 Avatao • Contact: support@avatao.com