Responsible disclosure policy
We welcome and reward good-faith security research. If you believe you've found a vulnerability in AMLRegister, please report it through the channels below. You'll hear back from us within 3 business days.
In scope
- ✓https://amlregister.com and all subdomains we operate
- ✓REST API endpoints at api.amlregister.com
- ✓Authentication, session management, and access control on any authenticated surface
- ✓Client-side injection (XSS, CSRF, HTML injection) on any page
- ✓Server-side injection (SQLi, command, template)
- ✓Logic flaws that allow access to other users' data or unauthorised privilege escalation
- ✓Business-logic issues that bypass rate-limiting or abuse controls
Out of scope
- ✗Denial-of-service or volumetric attacks
- ✗Social engineering of our staff or customers
- ✗Physical intrusion attempts
- ✗Findings against third-party services we don't operate
- ✗Reports from automated scanners without demonstrated impact
- ✗Self-XSS requiring user to paste code into their own console
- ✗Attacks requiring physical access to a user's device
How to report
- 1. Verify the finding. Please confirm the issue is reproducible before reporting. Reduce it to a minimal example and note any prerequisites.
- 2. Email security@amlregister.com. Include a clear description, reproduction steps, affected endpoint or page, and any evidence (screenshots, request/response samples, proof-of-concept). PGP-encrypted reports are welcome — key fingerprint on the security.txt file.
- 3. Give us time to respond. We acknowledge within 3 business days and commit to an initial assessment within 14 days. Please do not publicly disclose the finding until we've had a reasonable opportunity to investigate and remediate.
- 4. Coordinated disclosure. When a fix is live, we'll work with you on timing for any public disclosure. With your consent, we'll credit you publicly in a post-incident note.
Safe harbour
Research conducted in good faith and within the scope of this policy will not result in legal action by Okanewatch LTD. This includes compliance with the Computer Misuse Act 1990 for UK-based researchers, and equivalent protections for researchers in other jurisdictions.
Safe harbour does not apply to activities beyond the scope of this policy, including: disruption of production services, attacks on third parties, accessing data beyond what is strictly necessary to demonstrate the vulnerability, or any activity that creates risk to customer data or service availability.
We do not currently operate a paid bug-bounty programme but may offer gestures of thanks for significant findings. Public acknowledgement is given with the researcher's consent in a post-incident note or on this page's Hall of Fame.
Hall of fame
We'll list researchers who've helped us here, with their consent. If you've reported a valid finding and want to be listed, let us know.