Al hacer clic en "Aceptar", acepta el almacenamiento de cookies en su dispositivo para mejorar la navegación por el sitio, analizar el uso del sitio y ayudar en nuestros esfuerzos de marketing. Puede ajustar sus preferencias.
Aceptar
Cookie Preferences
Iniciar sesión en el lugar
Español
English
Nederlands
Deutsch
Français
Español
Security
Responsible Disclosure

Divulgación responsable

En Aqqo, damos prioridad a la seguridad de nuestros sistemas. A pesar de nuestros esfuerzos continuos por mantener la seguridad del sistema, de vez en cuando pueden surgir vulnerabilidades. Si has identificado una vulnerabilidad en uno de nuestros sistemas, notifícanoslo de inmediato para que podamos solucionar el problema lo antes posible. Valoramos la colaboración y nuestro objetivo es trabajar juntos para proteger mejor a nuestros clientes y nuestra infraestructura.

Política de divulgación responsable

If you’ve discovered a potential security issue inour systems, we kindly ask you to report it safely and discreetly. By doing so,you help us protect our users, improve our services,and maintain trust across our platform. 

Please take a moment to review the following guidelines before submitting your findings:

How to report

  • Email your findings to responsibledisclosure@aqqo.com
  • Please encrypt your report using our PGP key to ensure that the information doesn’t fall into the wrong hands
  • Use a clear subject line, for example: ‘Vulnerability report - [system/URL]’

Scope

This policy applies to systems andservices owned, operated, or controlled by Aqqo. 

In scope (examples): 

  • Web applications and APIs hosted under: [list primary domains, e.g., aqqo.com, app.aqqo.com, api.aqqo.com] 
  • Aqqo-controlled infrastructure supporting these services
  • Official Aqqo mobile apps (if applicable): [iOS/Android app names or store links] 

Out of scope (examples): 

  • Third-party services not controlled by Aqqo (e.g., external providers), unless the issue is demonstrably caused by Aqqo’s configuration
  • Issues in systems where you do not have authorization to test 
  • Physical attacks against offices, employees, or facilities 

If you are unsure whether a target is in scope, please contact us first at responsibledisclosure@aqqo.com.

Rules of engagement 

When researching and reporting a vulnerability, please:

  • Do not exploit the vulnerability beyond what's necessary to demonstrate the impact. For example, do not download more data than needed, and do no access, delete, or modify third-party data.
  • Respect privacy and confidentiality. Do not share details with others until the issue is resolved, and erase any confidential data obtained through the vulnerability as soon as it is no longer needed for validation.
  • Avoid disruption. Do not use physical security attacks, social engineering, distributed denial of service (DDoS), spam, or any testing that harms availability or performance. 
  • Act in good faith and stay within scope. Avoid repeated automated scanning, high-volume requests, or actions that could affect other users. 

What to include in your report 

To help us triage and fix the issue quickly, pleaseprovide: 

  • The affected IP address / domain / URL
  • A clear description of the vulnerability and its realistic impact 
  • Steps to reproduce (including request/response examples where helpful) 
  • Any proof-of-concept, screenshots, or logs (sanitized where possible) 
  • Whether you believe personal data could be exposed or misused
  • Your preferred contact details and whether you’d like public credit if the issue is disclosed 

Scope and severity 

We prioritize vulnerabilities that have a clear, realisticimpact on the confidentiality, integrity, or availability of data or accounts.Examples include authentication or authorization bypasses, injection issues,and direct data exposure. 

We may offer rewards, at our discretion, for valid reportsof previously unknown vulnerabilities with sufficient severity andimpact. 

The following categories are generallynot eligible for rewards (though we may still address them as hardening orbest-practice improvements): 

  • Best-practice or defense-in-depth recommendations without a demonstrated attack scenario (e.g., additional security notifications, missing or non-optimal security headers without exploit).
  • Self-XSS or issues that require the victim to modify their own browser/DevTools or run arbitrary code in their own console. 
  • Issues that assume the user’s device, browser, or email account has already been compromised.

Rewards 

As a token of gratitude, we may offer discretionary rewards for valid reports of a previously unknown security issue. Rewards are determined based on severity, impact, and the quality of thereport, starting with a voucher worth €25. 

Rewards are generally not offered for: 

  • Duplicate reports of previously known issues (whether previously reported externally or identified internally)
  • Issues that are out of scope 
  • Low-impact findings without a demonstrated attack scenario (see 'Scope and severity') 

We may not always be able to share details of our internal assessments or prior knowledge about specific issues.

Nuestro compromiso

Nuestro objetivo
es abordar todos problemas
lo más rápido posible

Póngase en contacto con nosotros en responsibledisclosure@aqqo.com si tiene alguna pregunta sobre nuestra política.

Empezar
con
Aqqo hoy
Discover why Aqqo has been trusted by 2.000+ venues
Comience la prueba gratuita
Póngase en contacto con ventas