We take the security and privacy of our users and systems seriously. If you believe you have discovered a vulnerability in any of our services, we encourage responsible disclosure and welcome your report.
π How to Report
Please report security vulnerabilities to:
- Email:
[email protected] - Subject:
Security Vulnerability Disclosure β [Short Description] - PGP Key: [optional β link to PGP public key]
Please include:
- A clear technical description of the issue
- Steps to reproduce or proof of concept (PoC)
- Affected endpoints or systems
- Any potential data impact (if applicable)
π€ Responsible Disclosure Policy
We ask that you:
- Do not exploit the vulnerability
- Do not access, modify, or delete user data
- Do not run DoS or automated scanning tools
- Allow reasonable time (e.g. 7β30 days) for us to investigate and resolve
We commit to:
- Responding within 3 business days
- Keeping you updated during triage and remediation
- Publicly acknowledging your report (if desired)
- Not pursuing legal action for reports made in good faith
π ISO/IEC 27001 Commitment
[Your Company Name] follows best practices aligned with ISO/IEC 27001 standards:
- We maintain an active Information Security Management System (ISMS)
- Incident response and vulnerability management are governed under certified controls
- Reports are triaged, assessed, and resolved according to our internal risk protocols
π‘οΈ GDPR Data Protection Obligations
In compliance with the General Data Protection Regulation (GDPR):
- If a vulnerability involves personal data, we will evaluate it under Article 33 of GDPR
- Where required, we will notify relevant data protection authorities or affected data subjects
- All investigation procedures follow data minimization and confidentiality principles
Our DPO may follow up with you for further coordination where applicable.
π« Out-of-Scope Reports
The following are generally not considered in scope:
- Clickjacking on non-authenticated pages
- Missing security headers without impact
- Disclosure of software versions
- Rate limit issues without exploit
- Self-XSS or social engineering vectors
π Recognition
We maintain a Security Hall of Fame for researchers who report valid issues. In some cases, we may offer monetary or in-kind rewards depending on severity and impact.
π¬ Contact
- Security Team:
[email protected] - DPO (for GDPR):
[email protected] - See our Privacy Policy for data processing details.
Thank you for contributing to a safer internet.
