Vulnerability Disclosure Program

Version: October, 2024

Security is at the heart of everything we do at Alation. We identify and remediate most vulnerabilities through extensive internal and external third-party testing. Even with industry-leading products, SSDLC processes, and the best people, it is inevitable that something may go undiscovered. Alation welcomes feedback from responsible security researchers and the general public.

Responsible Disclosure

If you believe you have discovered a security vulnerability, a privacy issue, exposed data, or other issues, please email the details to security@alation.com to open a report. Include the following details with your email:

Your name
Description with sufficient detail required to identify and reproduce the vulnerability (e.g. step-by-step instructions)

Our Commitments

When you responsibly disclosure a vulnerability to Alation, we will:

Acknowledge your report within five (5) business days
Strive to maintain transparency about the progress of your report
Work to remediate validated vulnerabilities in a timely manner

Policy

Alation’s Vulnerability Disclosure Program (the “Program”) allows for responsible and confidential disclosure of vulnerabilities to help enhance the security of the technology assets that Alation owns, operates, and maintains. Alation will engage with security researchers when vulnerabilities are reported to us in accordance with this Vulnerability Disclosure Policy (the “Policy”).

A “Vulnerability” is a security flaw or weakness in the technology asset that can be exploited to gain access and/or modify information, and change the behavior of, divert, and/or modify the application’s intended purpose.

Alation reserves the right to assess each Vulnerability to determine if it qualifies or has been reported previously. The “Reporter” of a vulnerability agrees to the following Parameters and Exclusions (“Term and Conditions”). Alation will not initiate legal actions against security researchers so long as they abide by this Policy.

Terms and Conditions

Parameters

If you participate in the Program, we ask that you:

Email the vulnerability details promptly to security@alation.com to open a report
Handle the confidentiality of details of any discovered vulnerabilities according to this Policy
Do not report the same vulnerability multiple times
Do not make any public statements or report vulnerabilities to other websites or people
Do not access, destroy, or compromise Alation’s or its customers’ computer systems and data
Avoid privacy violations
Do not degrade Alation’s services during your research (e.g. Denial of Service)
If a vulnerability provides unintended access to data, (1) Limit the amount of data you access to the minimum required for effectively demonstrating a proof of concept, (2) Cease testing and submit a report immediately
Do not use automated scanners
Do not violate any (a) federal or state laws or regulations or (b) the laws or regulations of any country where the Reporter is conducting security research

Exclusions hidden header

Exclusions

The following exclusions are considered out-of-scope from the Program:

Vulnerabilities affecting users of outdated or unsupported browsers or platforms
Open ports without an accompanying proof-of-concept demonstrating vulnerability
Self-XSS that cannot be used to exploit other users
Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
Clickjacking and the issues exploited only by clickjacking
Host Header Injection or content injection issues
Missing/Enabled HTTP Headers/Methods which do not lead directly to a security vulnerability
IPbrute force attacks (e.g. DoS/DDoS)
SSO related vulnerabilities
Domains/subdomains not in active service
CommaSeparatedValues (CSV) injection without demonstrating a vulnerability
Physical or social engineering attempts
Email/SMS flooding attacks

If you are unsure whether your conduct complies with the Program, please reach out to security@alation.com to connect with our Security Team.