Responsible Disclosure Policy

Purpose

The main goal of our vulnerability disclosure policy is to help ensure that vulnerabilities are patched or fixed in a timely manner with the ultimate objective of securing our users' information. This policy is intended to give clear guidelines for reporting potentially unknown or harmful security vulnerabilities.

Security Researchers

Admiral recognizes the positive contributions of security researchers and encourages the responsible and direct disclosure of potential security vulnerabilities to us. We accept vulnerability reports from all sources.

Our Commitments to Researchers

Admiral is committed to working collaboratively with security researchers.

• We will maintain standard confidentiality in our communications with you.
• We will work with you to validate and respond to your disclosure.
• We will investigate and use all reasonable efforts to remediate validated issues in a manner consistent with protecting the safety and security of those potentially affected by a reported vulnerability.
• Admiral reserves all of its legal rights in the event of non-compliance with this Policy, but it does not intend to pursue legal action against any party that conducts security research and discloses information to us in good faith and as outlined in this Policy.

What We Ask of Researchers

To ensure responsible disclosure and avoid unintended harm, we request that researchers:

• We request that you communicate information about potential security vulnerabilities in a responsible manner. This means complying with all applicable laws and respecting the privacy of individuals. Your security research should also avoid degradation of our user's experiences, disruption to systems, and destruction of data.
• We request that researchers provide sufficient technical detail and background necessary for our team to identify and validate reported issues.
• We request that researchers act for the common good, protecting user privacy and security by refraining from publicly disclosing vulnerabilities.

Scope

This policy applies to the following Admiral-owned systems and services:

• admiral.io, and the following hostnames:
  • app.admiral.io
  • api.admiral.io
  • docs.admiral.io
• Any other subdomain of admiral.io and all customer applications are excluded from this policy.

Any services not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy's scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren't sure whether a system is in scope or not, please contact [email protected] before starting your research.

The following activities are explicitly out of scope of this policy:

• Compromising the integrity, availability, or confidentiality of non-public information in the possession of Admiral.
• Failing to immediately delete/destroy sensitive information or personal data you may inadvertently access.
• Publicly disclosing any potential vulnerability without the express written consent of Admiral.
• Intentionally or negligently causing a denial-of-service condition for any user beyond the researcher.
• Exploitation of any vulnerability that sends bulk unsolicited or unauthorized messages (spam).
• Posting, transmitting, uploading, or linking malware, viruses, or similar harmful software that could impact our services, products or customers or any other third party.
• Testing third-party websites, applications, or services that integrate with our services or products.
• Conducting social engineering (including phishing) of Admiral employees, contractors, or customers.
• Any physical attempts against Admiral property or data centers.

How to Report

Please report security vulnerabilities by sending an email to [email protected] using our optional PGP key below. Please provide all known information related to the suspected security vulnerability you are reporting.

Upon submission, we will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action for resolution, if any.

While no type of vulnerability is explicitly out of the scope of this policy, researchers are asked to consider the attack scenario and exploitability associated with any potential security vulnerability submitted.