Anyone experiencing an Ava Security product security issue is strongly encouraged to contact the Ava PSIRT via security@ava.uk. Ava welcomes reports from customers, vendors, security researchers, industry organizations, and other stakeholders. Please contact the Ava PSIRT via security@ava.uk. Support requests will be acknowledged within 48 hours.
General security-related queries
For general security question, please contact support@ava.uk.
How to report a security vulnerability?
If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing security@ava.uk.
Please include the following details with your report:
Ava takes the security of our customers and its relationship with the security research community seriously. This document outlines what can be expected from Ava when a vulnerability is reported and what Ava considers to be acceptable for researchers in the process of testing.
We require that all researchers:
If you follow these guidelines when reporting an issue to us, we commit to:
Legally acquired versions of Ava software running in a deployment for which the researcher has the rights, or explicit permission, to test are in scope. Security researchers may be provided with trial versions of software for experimentation.
Any services hosted by 3rd party providers and services are excluded from scope. In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:
Things we do not want to receive:
Ava Security Ltd is committed to resolving vulnerabilities to meet the needs of its customers and the broader technology community. This document describes Ava’s policy for receiving reports related to potential security vulnerabilities in its products and services and the company’s standard practice with regards to informing customers of verified vulnerabilities.
Contact the Ava Product Security Incident Response Team (PSIRT) by sending an email to security@ava.uk in the following situations:
Technical security information about our products and services is distributed through several channels.
All aspects of this process are subject to change without notice, as well as to case-by-case exceptions. No particular level of response is guaranteed for any specific issue or class of issues.
Use of the information constitutes acceptance for use in an AS IS condition. There are no express or implied warranties or assurances with regard to this information. Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
At any point in the process, PSIRT can choose to issue or update a security advisory if the issue becomes public.
Confidentiality
All public communication on the subject of security vulnerabilities is via PSIRT through agreed channels.
Issues which impact (in a way which can be used by an attacker) the Confidentiality, Integrity or Availability (CIA) of installations are considered to be security issues. At this point severity is not considered: if it impacts one of CIA, then it’s a security issue.
Security issues are prioritized by severity using CVSSv3 scoring:
These map to turnaround times as follows:
PSIRT can raise the priority to Critical in response to exploitation in the wild, public disclosure, etc.