Overview
We follow a structured and transparent vulnerability management lifecycle to protect our infrastructure, backend services, and customer data. Our goal is to rapidly detect, prioritize, and resolve security issues while minimizing risk to users and stakeholders.
Reporting a Vulnerability
We welcome reports from security researchers and the community. If you discover a vulnerability in our services, please contact us:
Email: security@aampe.com
PGP Key: Download public key
Fingerprint:
80E7 E16E 68DD 22EA 05D4 5FF7 D954 8640 931E 8FAA
Response Time: We aim to respond within 2 business days.
We support and adhere to Coordinated Vulnerability Disclosure (CVD) practices and will work with researchers to resolve issues transparently and responsibly.
Triage & Prioritization
All reported or internally discovered vulnerabilities are reviewed and scored based on:
Severity: Using CVSS v3.1 where applicable
Exploitability: Ease of exploitation
Impact: Potential effect on user data or systems
Exposure: Public-facing vs. internal systems
We classify issues into four categories:
Severity | Examples | Target Fix Timeline |
---|---|---|
Critical | Remote code execution, exposed secrets, auth bypass | 48 hrs |
High | Privilege escalation, sensitive data exposure | 5 business days |
Medium | DoS, misconfigurations | 15 business days |
Low | Informal, best practice violations | 30 business days |
Remediation Process
Issue Logged: All vulnerabilities are tracked internally in a secure ticketing system.
Owner Assigned: A relevant engineering team is assigned immediately.
Fix Developed: Patches or mitigations are developed and peer-reviewed.
Testing: Security regression and automated/unit tests are run to validate.
Deploy & Monitor: Fixes are deployed to production; relevant logs and metrics are monitored for anomalies.
Disclosure & Notification
If a vulnerability has user-facing impact, we will:
Notify affected users directly via email or Slack
Provide a summary of the issue and resolution
Share mitigation steps, if required
Continuous Improvement
We proactively strengthen our security posture by:
Running regular static and dynamic code scans (SAST/DAST)
Conducting third-party penetration tests annually
Using automated dependency scanning tools (e.g., Dependabot, Snyk)
Reviewing all infrastructure changes for security impact
Thank You
We appreciate the work of security researchers and our user community in helping us maintain a secure environment. Your trust matters to us.
Aampe Security