Responsible Disclosure

In Scope

The following AhaSend systems are in scope for security research:

• The AhaSend Platform (https://dash.ahasend.com)
• The AhaSend API (https://api.ahasend.com)
• The AhaSend Website (https://ahasend.com)

While AhaSend develops other products, we ask that all security researchers submit vulnerability reports only for the stated product list. We intend to increase our scope as we develop other products.

Legal Posture

We will not engage in legal action against individuals who submit vulnerability reports to AhaSend's Security Team. We openly accept reports for the currently listed products. We agree not to pursue legal action against individuals who:

• Engage in testing of systems/research without harming AhaSend or its customers.
• Engage in vulnerability testing within the scope of our vulnerability disclosure program.
• Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
• Adhere to the laws of their location and the location of AhaSend. For example, violating laws that would only result in a claim by AhaSend (and not a criminal claim) may be acceptable as AhaSend is authorising the activity (reverse engineering or circumventing protective measures) to improve its system.
• Refrain from disclosing vulnerability details to the public before a mutually agreed-upon time frame expires.

Terms and Conditions

By submitting information in the scope and context of this Policy ("the Report") to AhaSend:

• You agree that you are acting in good faith and commit to adhering to the guidelines laid out in this policy.
• You agree that AhaSend may use the Report to update and/or improve its software; and you grant to AhaSend a non-exclusive, perpetual, irrevocable, worldwide, royalty-free license, with the right to sublicense to AhaSend's licensees and customers, under all relevant intellectual property rights, to use, publish, and disclose the Report in any manner AhaSend chooses and to display, perform, copy, make, have made, use, sell, and otherwise dispose of AhaSend's and its sub licensee's products or services embodying Report in any manner and via any media AhaSend chooses, without reference to the source. AhaSend shall be entitled to use the Report for any purpose without restriction or remuneration of any kind with respect to You and/or Your representatives.

Preference, Prioritization, and Acceptance Criteria

We will use the following criteria to prioritise and triage submissions.

What we would like to see from you

• Well-written reports in English
• Reports that include proof-of-concept code
• Reports that include more than only crash dumps or other automated tool output
• Reports that include how you found the bug, the impact, and any potential remediation.

What you can expect from us

• A timely response to your email
• After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
• An open dialog to discuss issues.
• Notification when the vulnerability has been validated and fixed.