Responsible Disclosure
AWRA welcomes good-faith vulnerability reports that help protect customers, vendors, operational records, and the integrity of the platform. We explain how to report issues without harming users or systems.
AWRA public website pages, authenticated AWRA OpsHub application workflows, vendor portal flows, public help center, API endpoints owned by AWRA, and mobile workflows operated under AWRA domains or official AWRA apps.
Third-party services not controlled by AWRA, denial-of-service testing, social engineering, physical attacks, spam, privacy-invasive testing, automated scanning that disrupts service, and issues that require access to another customer workspace.
Do not access, copy, change, delete, exfiltrate, or disclose customer records. If you accidentally encounter sensitive data, stop testing and include only the minimum evidence needed for validation.
When research is conducted in good faith, avoids harm, respects privacy, and follows this policy, AWRA aims to handle the report constructively and without adversarial escalation.
What to include
Please keep reports factual and focused. Use a minimal proof of concept, avoid customer data, and remove secrets from screenshots or request samples.
How AWRA handles reports
We review the intake and acknowledge credible reports as quickly as practical through the contact channel provided.
We validate reproducibility, severity, affected assets, exploitability, and whether customer data or system integrity could be impacted.
We prioritize fixes based on severity and may deploy code, configuration, access-control, monitoring, or documentation changes.
We communicate material status updates where appropriate and ask researchers to avoid public disclosure before remediation is complete.
Use only accounts, organizations, and data you own or are explicitly authorized to test. Do not degrade service, bypass billing for benefit, alter records, or attempt persistence.
Please do not publicly disclose details until AWRA has investigated, remediated, and had reasonable time to protect customers. We may coordinate timing for validated issues.
This policy does not create a paid bounty program. Recognition, if any, is discretionary and depends on report quality, impact, conduct, and business constraints.
Safe testing checklist
AWRA is an operational platform. A small test can affect inventory, approvals, finance, vendor records, or customer data if it is not scoped carefully. Use this checklist before sending a report.
Do not perform
Load testing, resource exhaustion, stress testing, or any activity that may degrade AWRA services.
Phishing, impersonation, pretexting, support manipulation, or attempts to trick AWRA staff, customers, vendors, or users.
Reading, copying, altering, exporting, deleting, or disclosing data that does not belong to you.
Any attack against facilities, devices, staff, data centers, networks, or equipment.
Mass messaging, brute force attempts, credential stuffing, scraping, enumeration at scale, or nuisance testing.
Testing payment processors, email providers, analytics tools, infrastructure vendors, or customer integrations outside AWRA control.
Severity guidance
These examples are not exhaustive. AWRA may adjust severity after reviewing affected assets, permissions, reproducibility, prerequisites, and customer impact.
Remote code execution, authentication bypass, tenant isolation failure, unrestricted customer data access, or privilege escalation to organization admin.
Access control flaws exposing sensitive records, write actions without authorization, exploitable file upload, or leakage of secrets or tokens.
Limited information disclosure, stored XSS with meaningful impact, CSRF on sensitive action, or workflow manipulation requiring user interaction.
Non-sensitive misconfiguration, missing security headers with limited exploitability, rate-limit improvements, or minor UI information leakage.
Report template
Subject: Responsible Disclosure Report - [short issue title] Affected asset: [URL, route, app screen, API endpoint, mobile flow] Account used for testing: [your own test account or demo context] Steps to reproduce: [numbered minimal steps] Observed result: [what happened] Expected secure result: [what should happen] Impact: [who could be affected and how] Evidence: [screenshots or redacted request samples] Researcher contact: [name or handle and email]
Communication expectations
For credible submissions, AWRA aims to acknowledge the report and ask clarifying questions if needed.
The team may attempt to reproduce the issue, review logs, compare expected access rules, and inspect relevant code or configuration.
Material updates are shared when practical, especially for higher-severity issues or when we need researcher confirmation.
Please wait for remediation and coordination before publishing details. Premature disclosure can put customers at risk.
If customer action is needed, AWRA may notify affected customers through appropriate security or support channels.
AWRA may acknowledge helpful researchers at its discretion, subject to researcher preference and report quality.
Help Center
Run inventory, procurement, assets, sales, and field work with approved AWRA guidance for setup, migration, integrations, security, pricing, and support.
