Vulnerability Disclosure Program


At Automox, we deeply value the importance of security research and the significant contributions it makes towards a secure future. With this in mind, we have established our Vulnerability Disclosure Program (VDP) as a secure and transparent avenue for the public to report any vulnerabilities they may uncover in our products or services.

What you can expect from Automox

You can expect the following from Automox when participating in the program:

What Automox requires of you

Rules of engagement

List of Banned Tools

The following tools are explicitly banned from use in our environment. Automox will update this list from time-to-time, so be sure to validate against the current list before using any new tool.

Reporting guidelines

Please email to report a vulnerability. By sending an email, you confirm that you meet the requirements of Automox's VDP. Include the following details within your report:

What not to do:

In-scope Systems and Services

Out of scope

The following domains identified here are considered out-of-scope and are not authorized for testing.

Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.

Non-qualifying vulnerabilities

It is possible that certain findings may not hold much relevance or practical importance for the security of Automox products, systems or services. A finding that would be considered low-value, and therefore would not qualify for a reward include, but are not limited to the vulnerabilities below. Automox will evaluate all findings in good faith, and Automox's determination is final and binding on all parties.

Monetary rewards

Automox may offer a monetary reward for findings that identify a vulnerability that presents a significant business impact to our products, systems or services. Eligibility for monetary recognition is determined by calculating the internal severity of a finding against the potential impact to Automox and our customers. Monetary rewards for qualifying findings will range from $100 to $5000. We reserve the right, in our sole discretion, to determine if a vulnerability disclosure qualifies for a monetary reward.

If your report is determined to be valid and significant, the following rules apply:

Safe Harbor

Any activities conducted in a manner consistent with this program will be considered authorized conduct and we will not initiate legal action against you.