Avala
Security

Rules & Safe Harbor

The ground rules.

We care about security research and we care about our customers. These rules exist to make sure both are protected. Read them — following them is what earns you legal safe harbor and our full engagement.

Researcher code of conduct

  1. 01Conduct research in good faith and within the scope defined above.
  2. 02Stop at proof-of-concept — do not exfiltrate data beyond what is needed to demonstrate impact.
  3. 03Do not access, modify, or destroy data that is not yours.
  4. 04Do not degrade availability (no load or DDoS testing).
  5. 05Do not pivot into internal networks after establishing an initial foothold.
  6. 06Do not use automated scanners against production without prior written approval.
  7. 07Report findings within 48 hours of discovery.
  8. 08Honor a 90-day coordinated disclosure window after report submission; extensions by mutual agreement.
  9. 09Do not publicly disclose before the agreed-upon release date.
  10. 10Do not use social engineering against Avala staff, customers, or contractors.
  11. 11Do not submit reports generated primarily by automated tools or LLMs without independent validation.

Safe harbor

Avala considers security research and vulnerability disclosure activities conducted consistent with this policy to be "authorized" conduct under the Computer Fraud and Abuse Act (CFAA), the DMCA, and applicable anti-hacking laws.

We will not pursue civil action or file a complaint with law enforcement for accidental, good-faith violations of our policy. If legal action is initiated by a third party against someone acting in compliance with our policy, we will take reasonable steps to make it known that the activities were authorized.

You must still comply with all applicable laws. Safe harbor does not extend to activities that exceed the program scope or rules, or to research conducted outside good-faith security testing.

This policy is modeled on the disclose.io open framework. It is not a substitute for legal advice. If you have legal questions, consult counsel before testing.

Coordinated disclosure

90-day window. You agree to hold public disclosure for 90 days after report submission, or until the fix is deployed, whichever is sooner.

Extensions. Complex issues may need more time. If we need an extension, we'll ask and explain why. Extensions are mutual agreements, not unilateral.

Joint publication. We're happy to coordinate a joint blog post or advisory with you once the fix is live, and will credit you in our hall of fame.

CVE assignment. For qualifying issues, we'll request a CVE on your behalf through MITRE.

Our response SLA

The commitments we hold ourselves to. Miss these and we owe you an explanation (and usually a bigger bounty).

Initial acknowledgment
Within 48 hours
Severity assessment & triage
Within 5 business days
Status update cadence
Every 7 days until resolved
Fix deployment (critical)
Within 72 hours
Fix deployment (high)
Within 14 days
Fix deployment (medium/low)
Within 30 days
Bounty decision
On fix-deployed or determination of non-applicability
Bounty payment
Within 30 days of decision

Ready to submit?

Submit a report