Responsible Disclosure Program

We at Amagi genuinely value the assistance of security researchers and any others in the security community to assist in keeping our systems secure.If you are a security researcher and have found a vulnerability, an abuse risk, or a security-related bug in an Amagi product, domain, or website, you can report it to us under Amagi's Responsible Disclosure Program.

To report a potential security vulnerability/risk/bug under Amagi’s Responsible Disclosure program, please send an email to report-vuln@amagi.com in the Reporting format (section 3) below, and we'll get in touch with you in 3-5 business days, after a preliminary investigation is carried out to validate the reported issue. 

While reporting an issue please be sure to read all sections listed below. Reports and researchers not complying to the Eligibility Criteria (Section 1), Scope (Section 2) and Reporting Format (Section 3) will not be qualified under the program. 

A list of Non-qualified Issues are mentioned in Section (4), please ensure your reports are not under any of those categories.

Do read the disclaimers in Section (5) to avoid any confusions in the qualification process. 

1. Eligibility Criteria:

All criteria must be met in order to participate in the Responsible Disclosure Program.

The researcher:

  1. Is not currently nor have been an employee (contract or FTE) of Amagi, within 6 months prior to submitting a report
  2. Is neither a family nor household member of any individual who currently or within the past 6 months has been an employee (contract or FTE)
  3. Will not use a finding to compromise/exfiltrate data or pivot to other systems, and use the proof of concept only to demonstrate an issue
  4. If exposed to sensitive information- such as personal information, credentials, etc., as part of a vulnerability, must not save, store, transfer, access, or otherwise process such information after the initial discovery. All copies of sensitive information must be returned to Amagi and may not be retained
  5. May not, and is not authorised to, engage in any activity that would be disruptive, damaging, or harmful to Amagi brands or its customers. This includes social engineering, phishing, and denial of service attacks against users or employees
  6. Uses the identified communication channel, viz., report-vuln@amagi.com to report the vulnerability information; and must not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorised employees), or otherwise share vulnerabilities with a third party, without Amagi's express written permission
  7. Agrees to participate in testing mitigation effectiveness and coordinating disclosure/release/publication of the finding
  8. Shall not violate any applicable law or regulation, including laws prohibiting unauthorised access to information
  9. If at any point while researching a vulnerability, is unsure of next steps, will immediately send a message to report-vuln@amagi.com

2. Scope:

  1. Amagi Domains (amagi.com, amagi.tv)
  2. Infrastructure that belongs to Amagi

3. Reporting Format:

  • Email Subject: External Bug Report <single line bug summary>
  • Email Body:
    1. Mandatory: Description of the bug
    2. Mandatory: Description of the attack scenario
    3. Mandatory: The impact of this scenario
    4. Mandatory: Steps to reproduce the reported vulnerability
    5. Mandatory: Proof of exploitability (e.g. screenshots, video)
    6. Perceived impact to another user or the organisation
    7. List of URLs and affected parameters
    8. Other vulnerable URLs, additional payloads, Proof-of-Concept code
    9. Browser, OS, and/or app version used during testing
    10. Bug resolution and fix

4. Non-Qualified Bugs:

  • Host header and banner grabbing issues
  • Automated tool scan reports.Example: Web, SSL/TLS scan, Nmap scan results, etc.
  • Missing HTTP security headers and cookie flags on insensitive cookies
  • Rate limiting, brute force attack on non-sensitive data parameters
  • Login/logout CSRF
  • Session timeout
  • Open redirections
  • Vulnerabilities that require physical access to the victim machine.
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than two stable versions behind the latest released stable version]
  • Phishing / Spam (including issues related to SPF/DKIM/DMARC)
  • Vulnerabilities found in third-party services
  • EXIF data not stripped on image
  • Clickjacking

5. Disclaimer:

  • Eligibility for any reward arrangements under this program, including but not limited to the timing, reward amount, and form of payments, are at Amagi's sole discretion and will be determined on a case-by-case basis.
  • Amagi makes no representations regarding the tax consequences of the payments under this program. Participants in this program are responsible for any tax liability associated with reward payments.
  • Reports that do not fulfil the mandatory report criteria will not be considered under the purview of the responsible disclosure program
  • The submitted report must include a detailed demonstration of the exploit, highlighting its potential impact on the organisation's information assets, and it must be directly related to Amagi's business, services, and infrastructure context. Please note that examples of exploits executed in other environments will not be accepted as valid proof of exploit.