ATLAST VULNERABILITY DISCLOSURE PROGRAM
Last Updated: April 2026
Introduction
Atlast Global Technologies, S.L. (“Atlast,” “we,” or “us”) is committed to protecting the security and privacy of our platform and our users’ data. We welcome collaboration with the security research community to identify and responsibly disclose potential vulnerabilities.
This Vulnerability Disclosure Program (“Program”) outlines how security researchers can report vulnerabilities to us and what to expect in return.
Our Commitment
We are committed to:
- Acknowledging valid vulnerability reports promptly
- Working with researchers to understand and verify reported issues
- Keeping researchers informed about the status of their reports
- Recognizing researchers who help us improve our security (with their permission)
- Not pursuing legal action against researchers who follow this Program in good faith
Scope
In Scope:
The following are within the scope of this Program:
- Atlast Platform: www.atlasthq.com and associated subdomains (*.atlasthq.com)
- Atlast API: api.atlasthq.com
- Atlast Web Application: app.atlasthq.com
Examples of in-scope vulnerabilities:
- Cross-Site Scripting (XSS)
- SQL Injection
- Authentication or authorization flaws
- Server-Side Request Forgery (SSRF)
- Remote Code Execution (RCE)
- Insecure Direct Object References (IDOR)
- Security misconfigurations exposing sensitive data
- Cryptographic vulnerabilities
Out of Scope:
The following are not eligible for this Program:
- Third-party services or websites we link to
- Social engineering attacks (e.g., phishing our employees)
- Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
- Physical attacks on our infrastructure or personnel
- Vulnerabilities requiring unlikely user interaction
- Reports of software version numbers without a confirmed exploit
- Clickjacking on pages with no sensitive actions
- Missing security headers with no demonstrated impact
- Reports from automated scanners without validation
- CSV injection without demonstrated security impact
- Self-XSS
- Issues affecting outdated or unsupported browsers
If you’re unsure whether something is in scope, please contact us at privacyandsecurity@atlasthq.com before testing.
Safe Harbor
Atlast commits to the following Safe Harbor provisions for security researchers who:
- Make a good-faith effort to comply with this Program
- Do not intentionally harm our users, data, or services
- Report vulnerabilities to us promptly and confidentially
- Do not publicly disclose vulnerabilities before we have had a reasonable time to address them
We will not:
- Initiate legal action against you
- Request law enforcement to investigate you
- Terminate or suspend your Atlast account (if you have one) solely for participation in this Program
However, this Safe Harbor does not apply if you:
- Violate any applicable laws
- Access, modify, or delete data belonging to others without authorization
- Conduct testing that degrades our service for other users
- Extort or attempt to extort payment or other consideration in exchange for vulnerability information
Rules of Engagement
When testing for vulnerabilities, please:
DO:
- Only test against accounts you own or have explicit permission to test
- Respect user privacy – do not access, modify, or delete other users’ data
- Use test accounts or data you create yourself
- Stop testing immediately if you encounter user data or sensitive information
- Report vulnerabilities to us as soon as reasonably possible
- Provide sufficient detail to allow us to reproduce the issue
- Allow us reasonable time to address the issue before any public disclosure
DO NOT:
- Attempt to access data that does not belong to you
- Perform testing that could degrade service quality or availability (e.g., DoS attacks, resource exhaustion)
- Use automated scanners without prior approval
- Exploit vulnerabilities beyond what is necessary to demonstrate the issue
- Engage in social engineering, phishing, or physical attacks
- Violate any applicable laws or regulations
- Publicly disclose the vulnerability before we have addressed it
How to Report a Vulnerability
To report a security vulnerability, please email:
privacyandsecurity@atlasthq.com
Subject Line: “Vulnerability Report: [Brief Description]”
Please include:
- Description: A clear explanation of the vulnerability
- Impact: The potential security impact (e.g., data exposure, privilege escalation)
- Steps to Reproduce: Detailed steps that allow us to reproduce the issue
- Proof of Concept: Example code, screenshots, or video demonstrating the vulnerability (if applicable)
- Your Contact Information: Email address and name (or handle) for follow-up
- Disclosure Preference: Whether you’d like public recognition (optional)
Encryption: For sensitive reports, you may encrypt your message using our PGP key (available upon request at privacyandsecurity@atlasthq.com).
What to Expect
Our Response Timeline:
| Stage | Timeframe |
|---|---|
| Initial Acknowledgment | Within 3 business days |
| Validation & Triage | Within 7 business days |
| Status Updates | Every 14 days (for complex issues) |
| Resolution Target | Varies by severity (see below) |
Severity-Based Resolution Targets:
| Severity | Description | Target Resolution |
|---|---|---|
| Critical | Remote code execution, authentication bypass, sensitive data exposure affecting all users | 7 days |
| High | Privilege escalation, data exposure affecting multiple users, IDOR with significant impact | 30 days |
| Medium | XSS, CSRF, security misconfigurations with moderate impact | 60 days |
| Low | Minor issues with limited impact | 90 days |
These are targets, not guarantees. We will keep you informed if timelines change.
Disclosure Policy
We believe in coordinated disclosure:
Our Approach:
- We will work with you to understand and address the vulnerability
- We will notify you when the issue is resolved
- We request that you do not publicly disclose the vulnerability until we have had a reasonable time to address it (typically 90 days from initial report)
Your Options:
- You may request that we credit you publicly when we disclose the fix (e.g., in release notes or a security acknowledgment page)
- You may remain anonymous if you prefer
- After the issue is resolved and both parties agree, you may publish a write-up or blog post about the vulnerability
Exceptions: If we fail to respond or address a critical vulnerability within a reasonable timeframe, you may publicly disclose the issue after notifying us with at least 14 days’ advance warning.
Recognition
We deeply appreciate the security research community’s contributions.
Hall of Fame: With your permission, we will publicly acknowledge researchers who report valid vulnerabilities on our Security Acknowledgments page (link to be published).
What We Offer:
- Public recognition (if desired)
- Direct communication with our security team
- Updates on the status of your report
- The satisfaction of helping protect our users
What We Don’t Offer: At this time, Atlast does not offer monetary rewards (bug bounties) for vulnerability reports. This is a coordinated disclosure program focused on responsible collaboration.
Legal
This Program does not create a contractual or advisory relationship between you and Atlast. Participation is voluntary.
Atlast reserves the right to modify or terminate this Program at any time.
By participating in this Program, you agree to these terms and acknowledge that your participation is at your own risk.
Excluded Findings
To help focus efforts on impactful security issues, the following are generally considered out of scope unless they demonstrate a significant security risk:
- Descriptive error messages (e.g., “User not found” vs. “Incorrect password”)
- Missing rate limiting on non-critical endpoints
- Lack of CSRF tokens on forms with no sensitive actions
- Presence of autocomplete attributes on non-sensitive forms
- SPF/DKIM/DMARC configuration issues without demonstrated exploitability
- SSL/TLS configuration issues with no demonstrated attack vector
- Cookie security flags on non-sensitive cookies
- Open redirects with no demonstrated security impact
- Theoretical vulnerabilities without proof of concept
Contact Information
For vulnerability reports: Email: privacyandsecurity@atlasthq.com
For general security questions: Email: privacyandsecurity@atlasthq.com
Company Information: Atlast Global Technologies, S.L. Avenida Eduard Maristany, 7, floor 5, door B 08019 Barcelona, Spain Tax ID: B-24.844.326
Thank you for helping us keep Atlast secure!
We appreciate the time and effort security researchers invest in making the internet safer for everyone. Your responsible disclosure helps us protect our users and improve our platform.