1. Introduction
AlixPartners is committed to ensuring the security of our information assets and protecting both AlixPartners and client data. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey a process to submit discovered vulnerabilities to us.
This policy describes which systems and types of research are covered, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
We encourage you to contact us to report potential vulnerabilities in our systems.
2. Authorization
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized and we will work with you to understand and resolve the issue quickly, and AlixPartners will not recommend or pursue legal action related to your research, provided you do not violate any applicable laws and/or regulations, or breach applicable agreements to discover vulnerabilities. Should legal action be initiated by a third-party against you for activities that were conducted in accordance with this policy, we will make this authorization known. These terms do not provide you with authorization to access company and/or client data (“Confidential Information”) or another person’s account. You will be held liable for any direct and indirect damage that AlixPartners incurs because of disclosure of Confidential Information, including without limitation for any actual direct or indirect damages, lost profits, fines imposed, and any other costs incurred to enforce claims that AlixPartners may have for the violation hereof.
3. Guidelines
Under this policy, “research” means activities in which you:
- Notify us as soon as possible after you discover a real or potential security issue.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
Once you’ve established that a vulnerability exists or encounter any sensitive data (including, but not limited to, personal data/Personally Identifiable Information, financial information, or proprietary information or trade secrets of any part), you must stop your research, notify us immediately, and not disclose this data to anyone else. You shall take all necessary precautions while storing this information, notwithstanding the form in which it was provided, and take reasonable and appropriate measures to keep this secret and prevent disclosure.
4. Research Methods and Vulnerabilities
The following methods are not authorized.
- Network denial-of-service (DoS or DDoS) tests, stress tests, or other tests that impair access to or damage a system or data
- Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing
- Large scans using automated tools are strictly prohibited. If your tests have a negative impact on our assets, we will take action to block your IP address, and, in some cases, may take legal action against you
- Exfiltrating data
5. Scope
This policy applies to the following systems and services:
- *.alixpartners.com
- AlixPartners-owned public IP ranges and domain names
- Researchers should verify ownership prior to performing tests
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for research. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at [email protected] before starting your research.
Though we develop and maintain other Internet-accessible systems or services, active research is only authorized to be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits research, contact us at the email address listed above to discuss it first.
6. Reporting a
Vulnerability
Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely AlixPartners, we may share your report with the Cybersecurity and Infrastructure Security Agency, where it will be handled under their coordinated vulnerability disclosure process (https://www.cisa.gov/coordinated-vulnerability-disclosure-process). We will not share your name or contact information without express permission.
We accept vulnerability reports via email to [email protected]. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days. We do not support PGP-encrypted emails.
By submitting a vulnerability, you acknowledge that you have no expectation of payment and that you expressly waive any future pay claims against AlixPartners related to your submission. AlixPartners, may, at our discretion, compensate for submissions. Compensation will be issued in US dollars (USD) only.
In order to help us triage and prioritize submissions, we recommend that your reports:
- Describe the location the vulnerability was discovered and the potential impact of exploitation.
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
- Be in English, if possible.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.
- We will acknowledge receipt of your report within three (3) business days of submission.
- Within five (5) business days of acknowledgement, we will notify you of the selected risk mitigation plan and estimated remediation timeframe.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
- We will maintain an open dialogue to discuss issues.
7. Questions
Questions regarding this policy may be sent to [email protected]. We also invite you to contact us with suggestions for improving this policy.