Security

AlphaSense Responsible Disclosure Policy

LAST UPDATED ON SEPTEMBER 4 , 2024

1. OVERVIEW

AlphaSense is committed to ensuring the security of its customers, employees and contractors by protecting their information. This policy is intended to give security research clear guidelines for conducting vulnerability discovery activities and to convey our preferences on how to submit discovered vulnerabilities to us.

If you have discovered any security vulnerabilities associated with any of the Products (as defined below), AlphaSense does appreciate your help in disclosure of such vulnerabilities in a responsible manner. 

AlphaSense will investigate all legitimate reports and fix the problem as soon as possible.

2. ELIGIBILITY

You may participate in the Program if you meet all of the following criteria:

  • You are at least 18 years old; and
  • You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate in the Program.

You are not eligible to participate in the Program if you meet any of the following criteria:

  • You are a resident of any countries under sanctions or any other country that does not allow participation in this type of program;
  • You are under the age of 18;
  • Your organization does not allow you to participate in these types of programs;
  • You are in breach of your employer’s policy with respect to participation in the Program or receipt of the Reward Point under the Program;
  • You are currently an employee of AlphaSense or a AlphaSense subsidiary, or a AlphaSense group entity or an immediate family (parent, sibling, spouse, or child) or household member of such an employee;
  • Within the six months prior to providing AlphaSense your Submission you were an employee of AlphaSense or a AlphaSense subsidiary or a AlphaSense group entity;
  • You currently (or within six months prior providing to us your Submission) perform services for AlphaSense or a AlphaSense subsidiary in an external staff capacity that requires access to AlphaSense group, such as agency temporary worker, vendor employee, or contractor; or
  • You are or were involved in any part of the development, administration, and/or execution of this Program.

3. SUBMISSION PROCESS/REPORT TEMPLATE

  •  Individual Details:
  •  Any Publicly Identifiable profile (LinkedIn, Github etc.):
  •  Bug Details:
  •  Type of Issue/Vulnerability:
  •  Areas affected:
  •  Impact (including how an attacker could exploit the issue):
  •  Detailed steps to reproduce (POC or exploit code):
  • Remediation

4. Scope of this Policy

Domains

AlphaSense’s Responsible Disclosure Policy applies to AlphaSense’s core platform and its information security infrastructure. This program will not accept submissions for assets other than listed below:

Focus Areas

  • Injection Vulnerabilities
  • Remote Code Execution (RCE) vulnerabilities
  • Authentication and Authorization vulnerabilities including horizontal and vertical escalation. (Use 2 different test accounts created by you)
  • Domain take-over vulnerabilities
  • PII/Sensitive information leak
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Any vulnerability that can affect the AlphaSense Brand, User (Customer/Merchant) data and financial transactions

5. Program Rules

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  • Ask the program team before submitting vulnerabilities on unscoped subdomains
  • Only interact with accounts you own or with the explicit permission of the account holder.

6. Out of Scope Vulnerabilities

Any services hosted by 3rd party providers and services are excluded from scope. These services are listed under sub-processors on our Trust Center.

  • Clickjacking on pages with no sensitive actions
  • Expired SSL/TLS certificates
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Attacks requiring MITM or physical access to a user’s device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service DOS and DDOS.
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Rate limiting or brute force issues on non-authentication endpoints
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
  • Open redirect – unless an additional security impact can be demonstrated
  • Issues that require unlikely user interaction
  • Insecure SSL/TLS ciphers
  • Absence of using HSTS
  • Any services hosted by third party providers and services /products not provided by AlphaSense

7. Review Process

After a Submission is sent to AlphaSense in accordance with this Policy, AlphaSense security team will review the Submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your Submission, as well as on the number of Submissions we receive.

AlphaSense retains sole discretion in determining which Submissions are qualified. If AlphaSense receive multiple bug reports for the same issue/Vulnerabilities from different parties, the Reward Bounties will be granted to the first eligible Submission. If a duplicate report provides new information that was previously unknown to AlphaSense, we may award a differential Reward Bounties to the person submitting the duplicate report.

8. Public Disclosure Policy

By default, this program is in “PUBLIC NONDISCLOSURE” mode which means:
“THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO PUBLIC, FAILING WHICH SHALL BE LIABLE FOR LEGAL PENALTIES!”

To Report a Bughttps://hackerone.com/517c78e0-1696-4f8a-97da-9d4460fa87a2/embedded_submissions/new