• You may not use automated tools in your research without our explicit consent. Use of automated tools may result in investigative action or your IP(s) being blocked.
• You make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.
• You give us reasonable time to respond to your report and carry out remediation.
• We credit the first researcher to report an issue. Additionally, we reserve the right to only acknowledge researchers who discover issues in Acquia products or hosted services, if we determine the issue to be of a high or critical severity, or if there has been continued research or contributions made by the reporter.
• We will credit you with your name and a "no-follow" link to the address of your choosing (e.g. Twitter or personal website).
• We are not interested in reports on the following issues:
  • CSRF in forms available for anonymous user use (e.g. the contact form)
  • Displayed server software "banners" or version information
  • Issues that are being handled in public issue queues of any of our OSS projects in use
  • Click-jacking on Acquia.com domains that do not involve authenticated user accounts
• We will not bring any lawsuit or begin law enforcement investigation into you if you follow these parameters.

What details should you include when reporting a security issue

• What versions of software are involved
• What steps someone can follow to go from an initial installation of that software to a point where they see the vulnerability
• Any patches or steps to mitigate the problem