1. Introduction
At Atolls, the security of our systems and our customers’ data is a top priority. We appreciate the efforts of security researchers who help us maintain a secure environment. This policy applies to all websites and mobile applications owned by Atolls and its associated brands, a list of which can be found at https://atolls.com/our-brands/.
2. Safe Harbour statement
If you conduct your research in good faith and adhere to this policy, we will not pursue legal action against you:
- Do Not Disrupt: Avoid any testing that could degrade our services.
- Protect Privacy: Do not access, modify, or delete data that does not belong to you. Limit data collection to the minimum necessary for a proof of concept.
- Prohibited Methods: Do not use social engineering, phishing, or physical security attacks against our staff or facilities.
- Confidentiality: Do not disclose the vulnerability to third parties or the public.
- Good faith: Report any vulnerabilities using this policy.
3. Reporting a Vulnerability
Please review the relevant brand’s website /.well-known/security.txt file for site-specific processes. For the majority of our brands and websites, we do not offer monetary rewards or bug bounties. For a complete scope and reporting process, please see our Vulnerability Disclosure Program, where rules of engagement are also defined. Any disclosures not adhering to this policy will not be actioned.
To help us triage your report quickly, please include:
- Target: The specific brand, domain, or IP address affected.
- Description: A detailed description of the vulnerability at its potential impact (e.g., XSS, SQLi).
- Proof of Concept: Clear, benign, and non-destructive steps to reproduce the issue.
- Language: In English, if possible
4. Our Commitment
We aim to:
- Acknowledge receipt of your report.
- Investigate and take appropriate action to address the issue, although you will not be informed of any action unless it has been reported via the Intigriti platform.