CommunityUniversityDevelopersSupportLogin
Platform
Solutions
Pricing
Resources
Partners

FEATURES

View features overview

Automation

AI-powered IT Automation for All Your Endpoints

Ask Otto
Custom scripts with ease

Configuration

Automatically enforce device configurations

Worklets Catalog
Plug-and-play device configuration

Patching

Automated Cross-OS & Hundreds of Third-Parties

Software Catalog
Truly automated, secure patching

Vulnerability Remediation

Automated and Manual Vuln Sync and Remediation

Automated Vulnerability Remediation (AVR)
Connect to scanners and remediate in minutes

Remote Control

Instantly Troubleshoot Windows and macOS

Reporting

Dashboard, PDF Exports and API Flexibility

Deployment

Automatically Deploy Hundreds of Software Titles

Cloud Architecture

Zero Hardware and Fast, Reliable Agent

Services & Support Plans

Maximize your ROI + upskill your team

Security

Best-in-class security, always free

INSTANT DEMOS

Deploy in Seconds

Remote Access

FixNow

Ask Otto AI Scripting

Software Deployment

Single Pane Dashboard

Automate with Worklets

Find & Fix Vulnerabilities

Worklets Catalog

Cross OS Patching

Cross OS Visibility

Desired State Config

Endpoint Organization

Secure Script Signing

Ratings & Reviews

Thousands of Customers Managing 1,250,077 Endpoints

OUTCOMES

Automated Cross-OS Updates

Everything Updated — Desktops, Laptops, Servers

Visibility & Reporting

Prove Everything in Your Environment is Up to Date

Automated Software Updates

One Source to Keep All Your Software Up to Date

Zero-Hardware IT Cloud

No VPN, No Servers, One Fast, Reliable Agent

Automated Configuration

Eliminate Drift and Keep Everything Up to Date

Cross-Platform Troubleshooting

Quickly Resolve Windows & macOS Tickets

INDUSTRIES

State & Local Government

K-12 Education

Colleges & Universities

Pharmaceuticals

Sports Organizations

MSPs

SaaS

TOPICS

View all

IT Automation

Patching & Endpoint Automation

Vulnerability Remediation

IT Operations

Patch Tuesday

Automox Updates

SOURCES

View all

Events

Blog

Reports & Guides

Case Studies

Solution Briefs

News & Press

Videos

Podcasts

FEATURED

UPCOMING

View all

AUTOMOX+

View partners overview

Rapid7

Maximize your Rapid7 investment with Automox

ServiceNow

Empower your data to do more

SentinelOne

Scale and safeguard every endpoint, easily

Splunk

Comprehensive insights drive better decisions, faster

Crowdstrike

The new standard in cloud-native endpoint security

Freshworks

Streamlined IT service management

lansweeper

Cut complexity and conquer vulnerabilities

Microsoft InTune

Get Intune with your endpoint management

MORE WAYS TO BUY

Distributors & Resellers

Outside the US and Canada

Managed Service Providers

Find an Automox MSP

AWS Marketplace

Vulnerability Disclosure Program

Table of Contents

  1. Introduction
  2. What you can expect from Automox
  3. What Automox requires of you
  4. Rules of engagement
  5. Reporting guidelines
  6. In-scope Systems and Services
  7. Non-qualifying vulnerabilities
  8. Monetary rewards
  9. Safe Harbor

Introduction

At Automox, we deeply value the importance of security research and the significant contributions it makes towards a secure future. With this in mind, we have established our Vulnerability Disclosure Program (VDP) as a secure and transparent avenue for the public to report any vulnerabilities they may uncover in our products or services.

What you can expect from Automox

You can expect the following from Automox when participating in the program:

  • We will work with you to validate your findings.
  • We will strive to fully triage your report within 3 business days.
  • We will strive to remediate valid findings within 120 days.
  • We will recognize your findings if you are the first to report a unique and significantly impactful vulnerability through the VDP.
  • We will provide you with status updates regarding your report at a frequency based on the severity of your finding:
    • High: 30 days
    • Medium: 90 days
    • Low: 120 days

What Automox requires of you

  • Adhere to the rules of engagement.
  • Notify us as soon as possible once you discover a real or potential security finding.
  • Operate in good faith.

Rules of engagement

  1. You must provide a working Proof of Concept (POC).
  2. Use only disclosures@automox.com to submit reports and communicate with Automox regarding your findings.
  3. Be sure to include all occurrences of the same finding in one report instead of submitting them as multiple reports.
  4. Do not discuss vulnerabilities outside of the VDP without express consent from Automox.
  5. Do not intentionally view, store, modify, or destroy data that does not belong to you.
  6. Do not engage in social engineering or phishing of customers or employees.
  7. Do not engage in disruptive testing like DoS/DDoS, or anything that has a realistic potential to diminish the quality of Automox's services or disrupt the experience of our customers.
  8. Do not engage in testing using anything other than test accounts.
  9. Do not violate any laws or breach the Automox Master Services Agreement to discover vulnerabilities.
  10. You must adhere to in scope and out of scope systems and services (see below).

Automox acknowledges the value of security research automation tools and does not intend to limit their usage. However, if these tools lead to availability problems, Automox will prevent their usage to ensure uninterrupted operation of our systems and services.

List of Banned Tools

The following tools are explicitly banned from use in our environment. Automox will update this list from time-to-time, so be sure to validate against the current list before using any new tool.

  • SQLmap or similar
  • ffuzz/wfuzz
  • Any tool designed to cause a Denial of Service

Reporting guidelines

Please email disclosures@automox.com to report a vulnerability. By sending an email, you confirm that you meet the requirements of Automox's VDP. Include the following details within your report:

  • A description of the finding including all instances, hosts or endpoints where it may be located
  • Attack scenario/exploitability, and the security impact of the bug to our applications, customers, systems, or services
  • Screenshots or videos that demonstrate the problem.
  • Step-by-step instructions on how to reproduce the finding, including any HTTP requests or exploit code.
  • If applicable, a log of all activity related to your discovery, including your IP address(es) and timestamped requests to aid us in validation and investigation.

What not to do:

  • Do not upload screenshots, videos, or exploit code to a publicly accessible server/repository (first or third party) in preparation of your email.
  • Do not zip or archive your files (just attach them directly to the form/email).
  • Do not provide low quality reports such as those which only contain automated output.

In-scope Systems and Services

  • *.automox.com

Out of scope

The following domains identified here are considered out-of-scope and are not authorized for testing.

  • help.automox.com
  • community.automox.com
  • developer.automox.com
  • discover.automox.com
  • insiders.automox.com
  • listen.automox.com
  • msp.automox.com
  • partners.automox.com
  • security.automox.com
  • training.automox.com
  • university.automox.com
  • Domains registered to Automox but hosted by a third party

Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.

Non-qualifying vulnerabilities

It is possible that certain findings may not hold much relevance or practical importance for the security of Automox products, systems or services. A finding that would be considered low-value, and therefore would not qualify for a reward include, but are not limited to the vulnerabilities below. Automox will evaluate all findings in good faith, and Automox's determination is final and binding on all parties.

  • Denial of Service (DoS).
  • Descriptive or verbose error pages without proof of exploitability or obtaining sensitive information.
  • Content spoofing and/or text injection findings without showing an attack vector.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Clickjacking on pages with no sensitive actions.
  • Output from Automated Scanners without a PoC to demonstrate a specific vulnerability.
  • Google Maps API Keys
  • Findings that require unlikely user interaction by the victim.
  • Findings related to password/credential strength, length, lockouts, or lack of brute-force/rate-limiting protections.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Vulnerabilities only affecting users of outdated or unpatched browsers.
  • Informational disclosure of non-sensitive data.
  • Software version disclosure / Banner identification findings.
  • Missing best practices in Content Security Policy.
  • Missing best practices in SSL/TLS configuration.
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
  • Rate limiting or brute-force findings on non-authentication endpoints.

Monetary rewards

Automox may offer a monetary reward for findings that identify a vulnerability that presents a significant business impact to our products, systems or services. Eligibility for monetary recognition is determined by calculating the internal severity of a finding against the potential impact to Automox and our customers. Monetary rewards for qualifying findings will range from $100 to $5000. We reserve the right, in our sole discretion, to determine if a vulnerability disclosure qualifies for a monetary reward.

If your report is determined to be valid and significant, the following rules apply:

  • You must be the first person to report the finding to us. We will review duplicate findings to see if they provide additional information, but otherwise typically recognize only the first reporter.
  • You must be in compliance with this policy.
  • You must not reside in a country currently on a United States sanctions list.
  • You must report in your individual capacity, and not on behalf of a company or entity.
  • You must maintain communication with our team to supply additional information as needed to reproduce and triage the finding.
  • You must be 18 years or older and have the ability to receive electronic payments.
  • Active and former Automox employees, their family members and their household members are not eligible for participation in this program.
  • You may be required to provide additional documentation to receive payment of a reward.
  • By participating in this program, you consent to allow Automox to share your contact information with our third party payment processor to receive payment of a reward.
  • You are responsible for any applicable income tax on your reward.
  • We provide a reward after validation of the finding if eligible.

Safe Harbor

Any activities conducted in a manner consistent with this program will be considered authorized conduct and we will not initiate legal action against you.

Start your free trial.

Join over 1,249,577 endpoints managed with Automox.

start your free trial now

PRODUCT

OverviewFeaturesWorkletsPricingRoadmap

COMPANY

AboutLeadershipNewsCareersDiversity in ITContact

DOCS

DocsAPIFAQ

CUSTOMERS

SupportCommunityUniversityDevelopersPartners

SOCIAL

LEGALTerms of UsePrivacy PolicyMaster Services Agreement
CSA STAREU-US DPGDPRPCI DSSSOCTX-RAMP
Copyright © 2024 Automox. AUTOMOX is a registered trademark in the US and other countries.
CSA STAREU-US DPGDPRPCI DSSSOCTX-RAMP