Here at Akeero we are committed to providing secure products and services to our customers, and welcome reports from independent researchers, industry organisations, vendors, customers, and other sources concerned with security. If you believe you have discovered a potential security vulnerability with our products or services, we look forward to receiving your report, and appreciate your help in disclosing the issue to us responsibly.
The below assets are deemed as out of scope for the purposes of our vulnerability disclosure program:
Akeero defines a security vulnerability as an unintended weakness in a product or service that could allow an attacker to compromise the integrity, availability, or confidentiality of that product or service. When reporting vulnerabilities, please consider:
We will investigate all eligible reports and do our best to fix valid issues quickly.
We ask the security research community to give us a reasonable opportunity to correct a vulnerability before publicly disclosing it. Please submit a detailed description of the issue and the steps required to reproduce what you have observed. In doing so, please make every attempt possible to protect our customers’ privacy, data confidentiality, and integrity – we very much value your assistance in preserving those.
Our customers’ privacy, data confidentiality, and integrity is crucial at Akeero. You agree that you will not disclose vulnerability information to any other third party, until granted permission to do so from Akeero. We endeavor to grant such permission within two to four weeks from the release of the fix that addresses the discovered vulnerability.
Please understand that we cannot work with anyone who violates applicable laws or regulations, attempts to exploit a security issue or access other users’ data – in other words, violate this policy.
Akeero’s default policy is to acknowledge all researchers who submit a valid security vulnerability report. We are a small startup, and although we can’t match large companies when it comes to monetary bounty awards, we understand the value of a good submission and we do offer researchers a few different awards options.
Any such bounty will be awarded after an Akeero team member has confirmed the issue during the Triage process. We generally won’t wait to award a bounty until after the item is fixed as we understand some issues may have long lead times in deploying fixes. Bounties are only awarded for actual security or privacy impacting reports, and not for functionality or other types of bugs.
Upon receipt of your report, we promise to review and address any security issues in a timely manner and to communicate with you during our investigation and upon resolution.
Akeero will make a best effort to meet the following timelines:
We’ll try to keep you informed about our progress throughout the process.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Here at Akeero we understand that our customers expect us to protect their data with the highest standards and are committed to providing them with a highly secure and reliable environment.
Our security model and controls are based on international standards and industry best practices, including as ISO 27001, OWASP Top 10 and AWS Well Architected.
Akeero implements a security oriented design in multiple layers, on both the application and infrastructure layer. The Akeero application is developed according to the OWASP Top 10 framework and all code is peer reviewed prior to deployment to production. Our controlled CI/CD process includes static code analysis, software composition analysis, vulnerability assessment, penetration testing, and more.
Independent third party assessments are crucial in order to get an accurate, unbiased understanding of an organisation’s security posture. Akeero conducts penetration tests on an annual basis or after any major change, both at the application and the infrastructure level, using highly qualified, independent assessors.
We use Safebase to manage our Trust Centre. Please click here for more details.