Vulnerability Disclosure Program

Version: October, 2024

Security is at the heart of everything we do at Alation. We identify and remediate most vulnerabilities through extensive internal and external third-party testing. Even with industry-leading products, SSDLC processes, and the best people, it is inevitable that something may go undiscovered. Alation welcomes feedback from responsible security researchers and the general public.

Responsible Disclosure

If you believe you have discovered a security vulnerability, a privacy issue, exposed data, or other issues, please email the details to security@alation.com to open a report. Include the following details with your email:

  • Your name

  • Description with sufficient detail required to identify and reproduce the vulnerability (e.g. step-by-step instructions)

Our Commitments

When you responsibly disclosure a vulnerability to Alation, we will:

  • Acknowledge your report within five (5) business days

  • Strive to maintain transparency about the progress of your report

  • Work to remediate validated vulnerabilities in a timely manner

Policy

Alation’s Vulnerability Disclosure Program (the “Program”) allows for responsible and confidential disclosure of vulnerabilities to help enhance the security of the technology assets that Alation owns, operates, and maintains. Alation will engage with security researchers when vulnerabilities are reported to us in accordance with this Vulnerability Disclosure Policy (the “Policy”).

A “Vulnerability” is a security flaw or weakness in the technology asset that can be exploited to gain access and/or modify information, and change the behavior of, divert, and/or modify the application’s intended purpose.

Alation reserves the right to assess each Vulnerability to determine if it qualifies or has been reported previously. The “Reporter” of a vulnerability agrees to the following Parameters and Exclusions (“Term and Conditions”). Alation will not initiate legal actions against security researchers so long as they abide by this Policy.

Terms and Conditions

Parameters

If you participate in the Program, we ask that you:

  • Email the vulnerability details promptly to security@alation.com to open a report

  • Handle the confidentiality of details of any discovered vulnerabilities according to this Policy

  • Do not report the same vulnerability multiple times

  • Do not make any public statements or report vulnerabilities to other websites or people

  • Do not access, destroy, or compromise Alation’s or its customers’ computer systems and data

  • Avoid privacy violations

  • Do not degrade Alation’s services during your research (e.g. Denial of Service)

  • If a vulnerability provides unintended access to data, (1) Limit the amount of data you access to the minimum required for effectively demonstrating a proof of concept, (2) Cease testing and submit a report immediately

  • Do not use automated scanners

  • Do not violate any (a) federal or state laws or regulations or (b) the laws or regulations of any country where the Reporter is conducting security research

Exclusions hidden header

Exclusions

The following exclusions are considered out-of-scope from the Program:

  • Vulnerabilities affecting users of outdated or unsupported browsers or platforms

  • Open ports without an accompanying proof-of-concept demonstrating vulnerability

  • Self-XSS that cannot be used to exploit other users

  • Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)

  • Clickjacking and the issues exploited only by clickjacking

  • Host Header Injection or content injection issues

  • Missing/Enabled HTTP Headers/Methods which do not lead directly to a security vulnerability

  • IPbrute force attacks (e.g. DoS/DDoS)

  • SSO related vulnerabilities

  • Domains/subdomains not in active service

  • CommaSeparatedValues (CSV) injection without demonstrating a vulnerability

  • Physical or social engineering attempts

  • Email/SMS flooding attacks

If you are unsure whether your conduct complies with the Program, please reach out to security@alation.com to connect with our Security Team.