Avail Finance is committed to protecting the privacy and security of our system and our customer’s information. of our software tools. Our Responsibility Disclosure Program is intended to minimize the impact any security flaws have on our system or our customer. Avail Finance's Responsibility Disclosure Program covers select product, system, or asset belonging to Avail Finance.
If you believe you have found a potential security vulnerability, we encourage you to let us know as soon as possible. We will investigate the submission and if found valid, take necessary corrective measures. We request you to review our Responsible Disclosure policy as mentioned below along with the reporting guidelines, before you report a security issue.
Thank you in advance for your submission, we appreciate researchers assisting us in our security efforts. Please note, Avail Finance does not operate a public bug bounty program and we make no offer of reward or compensation in exchange for submitting potential issues.
Send an email to firstname.lastname@example.org with information about the vulnerability and detailed steps on how to replicate it.
Researchers shall disclose potential vulnerabilities in accordance with the following guidelines:
You should not do any public disclosure of a bug without prior approval from the Avail Finance security team.
Do not engage in any activity that can potentially or actually cause harm to Avail Finance, our customers, or our employees.
Originality, quality, and content of the report will be considered while triaging the submission, please make sure that the report clearly explains the impact and exploitability of the issue with a detailed proof of concept.
Please make sure that any information like proof of concept videos, scripts etc., should not be uploaded on any 3rd party website and should be directly attached as a reply to the acknowledgement email that you receive from us.
You are obliged to share any extra information if asked for, refusal to do so will result in invalidation of the submission.
Do not store, share, compromise or destroy Avail Finance or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Capital One. This step protects any potentially vulnerable data, and you.
You must be respectful to our existing application, and in any case you should not run test-cases which might disrupt our services.
Do not initiate a fraudulent financial transaction.
We also request you not to attempt attacks such as social engineering, phishing etc. These kinds of findings will not be considered as valid ones, and if caught, might result in suspension of your account and appropriate legal action as well.
Provide Avail Finance reasonable time to fix any reported issue, before such information is shared with a third party or disclosed publicly.
By responsibly submitting your findings to Avail Finance in accordance with these guidelines Avail Finance agrees not to pursue legal action against you. Avail Finance reserves all legal rights in the event of noncompliance with these guidelines.
Once a report is submitted, Avail Finance commits to provide prompt acknowledgement of receipt of all reports (within two business days of submission) and will keep you reasonably informed of the status of any validated vulnerability that you report through this program.
Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program. Out-of-scope vulnerabilities include:
Social Engineering. For example, attempts to steal cookies, fake login pages to collect credentials
Resource Exhaustion Attacks
Denial of service attacks
When reporting a potential vulnerability, please include a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery (screen captures welcome).
The responsible disclosure program, including its policies, is subject to change or cancellation by Avail Finance at any time, without notice. As such, Avail Finance may amend these program terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the responsible disclosure program after Avail Finance posts any such changes, you implicitly agree to comply with the updated program terms.