Information for security researchers
Occasionally, security researchers contact Aiir with a view to testing our products or services.
On this page, we explain our stance on penetration testing and reporting bugs or vulnerabilities.
The following applies to all our products, including the Aiir platform, PlayoutONE and Audio.co.
🪲 Reporting bugs or vulnerabilities
Aiir does not offer any rewards for reported bugs or vulnerabilities.
A bug bounty incentivises people to use AI tools to find and make up "problems" in bad faith, so we do not engage with generic, unsolicited vulnerability reports.
We still appreciate and value genuine, product-specific issue reports from our customers. By sharing your findings with Aiir, you agree that any information you provide may be acted upon if our Product Development team see fit, without any guarantee of a reward or credit.
🔓 Penetration testing
Penetration tests (AKA pen tests) are automated security tests that can be performed to evaluate the security of a computer system.
We're occasionally informed by customers, typically larger enterprises, that they plan to perform a pen test of their websites hosted by Aiir.
We don't object to this, and there's no requirement to inform us in advance if you plan to do so.
However, we know from experience that automated pen tests may easily get caught by our firewall and have their IP addresses quickly blocked by our automated systems.
Often, the person running the test contacts us to ask whether the test's IP address can be 'whitelisted' so it won't be blocked.
We may sometimes cooperate with these requests at our discretion, however we reserve the right to deny them.
Our systems are in place for a reason: to protect our infrastructure and ensure the security and stability of our products and services for all our customers.
In our experience, pen tests can be poorly set up. Without any throttling in place, they can quickly send an enormous amount of traffic from a small number of IP addresses, threatening the stability of our services.
For this reason, we will err on the side of denying requests to be whitelisted. Conducting a test with a whitelisted IP address creates an unrealistic attack environment that no genuine threat would have access to.