Responsible Disclosure Program

Aeries Software, Inc., is committed to safeguarding the privacy of the data held within our systems.  We are committed to taking all reasonable and appropriate measures to ensure data confidentiality and integrity.

We encourage responsible reporting of any potential areas for improvement or vulnerabilities that may be found in our software and are committed to working with security researchers to verify and address any potential vulnerabilities reported to us.

Please review the following guidelines before exploring or reporting any vulnerabilities.  This program is in place only for Aeries Software, Inc.’s products and services.

How to Report a Vulnerability or Security Issue

To report a potential security issue or vulnerability with an Aeries Software, Inc. branded product, please email the discovered potential issue or vulnerability to us, providing us with, if available:

  1. Name(s) of the product, technology, or program at issue
  2. Potential impact of the vulnerability
  3. Details of the potential security issue or vulnerability (including a description of your discovery with clear, concise reproducible steps) and
  4. A working proof-of-concept

Emails can be sent to security@aeries.com.

To avoid any delay in our response, please be as thorough as possible in your explanation of the potential security issue or vulnerability. Submitted potential vulnerabilities are initially reviewed, triaged and assessed in detail to determine the risk level of the vulnerability.  By submitting a potential vulnerability, you agree to permit Aeries Software, Inc. a reasonable time to assess and remedy the reported vulnerability, not to share or publicize an unresolved vulnerability with/to third parties and keep all communication regarding the potential vulnerability confidential.

We will continue to work with you to assess and understand the scope of the issue and fully address any concerns.

Recognition

Aeries Software, Inc. appreciates and wants to recognize every individual researcher who submits a vulnerability report helping us improve our overall security posture.

To recognize research partners, Aeries Software, Inc. may feature researchers who make significant contributions if they are first to report an issue and we make a code or configuration change based on their report.  By submitting a potential security issue or vulnerability, you may grant Aeries Software, Inc. the right to display your name on a Security Researcher Recognition page and/or such other media as Aeries Software, Inc. may choose to publish.  Any and all recognition is at the sole discretion of Aeries Software, Inc.

Third-party bugs

If issues reported to Aeries Software, Inc. affect a third-party product, vendor or partner, Aeries Software, Inc. reserves the right to forward details of the issue to that party without further discussion with the researcher.  We will do our best to coordinate and communicate with researchers through this process.

Sensitive and Personal Information

Never attempt to access anyone else’s data or personal information including by exploiting a vulnerability.  Such activity is unauthorized.  If during your testing you interacted with or obtained access to data or personal information of others, you must:

  • Stop your testing immediately and cease any activity that involves the data or personal information relating to the potential vulnerability.
  • Do not save, copy, store, transfer, disclose or otherwise retain the data or personal information.
  • Alert Aeries Software, Inc. immediately and support our investigation and mitigation efforts.

Other prohibited and unauthorized acts, include but are not limited to:

  • Attacks against Aeries Software’s infrastructure,
  • Social engineering attacks, (i.e., pretexting, phishing, malware/scareware, etc.,)
  • Distributed denial-of-service (DoS or DDoS) attacks.
  • Violating licenses of third parties

Failure to comply with any of the above will immediately disqualify any report from potential participation in this program.

We may be unable to recognize any individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists.

You should understand that we can cancel the program at any time and the decision to recognize your contribution is at the sole discretion of Aeries Software, Inc.

Lastly, your discovery, testing, and/or reporting must not violate any laws, or disrupt or compromise any data that is not your own.

If you have questions about responsible disclosure of results for a submission, please reach out to us via the email provided.

Aeries Software, Inc. Security Team Commitment

Upon submission of a potential vulnerability report, the security team and associated development organizations will use reasonable efforts to:

  • Respond in a timely manner, acknowledging receipt of your submission;
  • Provide an estimated time frame, if possible, for addressing the reported potential vulnerability;
  • Notify you upon correcting the vulnerability.