For the prevention of vulnerabilities, Athento takes the following measures:
- Secure Code
- Security Measures of the Datacenters used
- Hardening measures
- Antivirus Policy
- Automated ethical hacking tests: Athento uses tools such as Detectify that perform automated security tests on the application and databases and scan assets for vulnerabilities, including OWASP Top 10, CORS, Amazon S3 Bucket and DNS misconfigurations.
- Bug Bounty Program: Athento actively recruits ethical hackers to discover software vulnerabilities.
- Enterprise customer penetration testing: Customers on Enterprise plans can request scheduled ethical attacks for their security teams to verify that Athento complies with the main security standards in the market.
Athento has a self-assessment report in accordance with the Cloud Security Alliance. This report is reviewed annually. This report is only available to Athento's enterprise customers after signing an NDA.
Procedure for possible vulnerabilities
When a potential security problem is detected, Athento will take the following steps to address the issue:
- Assess the scope and severity of the problem.
- Perform a product upgrade as soon as possible that resolves the potential risk.
- Once the known vulnerability is detected, we will inform our customers about the update.
Our team's priority is to resolve any vulnerability in the service as soon as possible. As soon as these are detected, they will be published in the Release Notes of the version with the vulnerability.
Once the potential vulnerability has been fixed, we will issue an email notification notifying customers that the vulnerability has been resolved and details on its resolution.
The email will be sent to all authorized support contacts.
In case of possible data loss, affected customers will be notified immediately, and they will be notified of the measures to be taken to resolve their situation.
Notification Severity Level
The notifications will also indicate the severity of the vulnerability resolved. The vulnerability levels are described below.
These types of vulnerabilities can compromise the system in any of the following ways:
|Some of the above vulnerabilities have been detected but only at the level of the reporting customer.
|All vulnerabilities that do not meet the characteristics of the two previous categories are grouped under this severity category.
How to Report Potential Vulnerabilities
Any incident or vulnerability detected should be reported immediately through the contact mechanisms of our support service.