We take the security of our systems and services seriously. We appreciate the security research community's efforts to help us maintain the highest security standards. This policy outlines the guidelines for security researchers when searching for or reporting security vulnerabilities.
The following systems and services are within the scope of our security research program:
Main website and web applications: https://subnoto.com and all subdomains
API endpoints: All publicly accessible API endpoints
Infrastructure: Publicly accessible network services and infrastructure
Third-party integrations: Security issues in our implementation of third-party services
The following areas are considered out of scope for our security research program:
Third-party services: Issues in third-party services we use (report directly to the vendor)
Physical security: Physical access to our facilities or equipment
Social engineering: Attacks against our employees or users
Denial of Service attacks: Any testing that could impact service availability
Spam or content injection: Non-security related content issues
Issues requiring physical access to user devices or accounts
Provide detailed reports with clear steps to reproduce the vulnerability
Allow reasonable time for us to investigate and address the issue before public disclosure
Avoid accessing, modifying, or deleting data belonging to others
Only test against systems you own or have explicit permission to test
Respect user privacy and do not access or retain personal information
Report vulnerabilities as soon as possible after discovery
Use the latest version of applications when testing
Engage in activities that could harm our systems, services, or users
Access, modify, or delete data that doesn't belong to you
Disrupt our services or degrade the user experience
Perform testing that could impact other users
Share vulnerabilities publicly before we've had time to address them
Demand compensation or threaten public disclosure for leverage
We commit to the following safe harbor for security researchers who:
Follow this responsible disclosure policy
Report vulnerabilities in good faith
Do not violate any laws or breach any agreements
Our commitments:
We will not pursue legal action against researchers acting in good faith
We will work with researchers to understand and resolve security issues
We will acknowledge researchers who help improve our security (with permission)
We will provide reasonable time for investigation and remediation
Send your initial report to our security team using one of these methods:
Security Portal: https://subnoto.com/.well-known/security.txt
Please include the following information in your report:
Summary: Brief description of the vulnerability
Severity: Your assessment of the potential impact
Steps to Reproduce: Detailed, step-by-step instructions
Proof of Concept: Evidence demonstrating the vulnerability
Affected Systems: Specific URLs, applications, or systems affected
Browser/Environment: Technical details about your testing environment
Potential Impact: Description of what an attacker could achieve
Suggested Fix: Recommendations for remediation (if applicable)
We will respond according to the following timeline:
Initial acknowledgment: Within 2 business days
Triage and validation: Within 5 business days
Regular updates: Every 7 days during investigation
Resolution timeline: Varies based on severity and complexity
We use the following severity levels based on CVSS v3.1 scoring:
| Severity Levels | Severity Range | Examples |
|---|---|---|
| Critical | 9.0-10.0 | Remote code execution on critical systems, Full system compromise, Mass data exposure |
| High | 7.0-8.9 | Privilege escalation to admin level, Significant data exposure, Authentication bypass on sensitive systems |
| Medium | 4.0-6.9 | Limited privilege escalation, Moderate data exposure, Cross-site scripting with significant impact |
| Low | 0.1-3.9 | Information disclosure with minimal impact, Minor authentication issues, Low-impact injection vulnerabilities |
Critical/High: Initial response within 24 hours, updates every 2-3 days
Medium: Initial response within 48 hours, updates weekly
Low: Initial response within 5 business days, updates bi-weekly
We follow a coordinated disclosure approach:
Standard timeline: 90 days from initial report
Extended timeline: May be negotiated for complex issues
Immediate disclosure: For issues actively being exploited
Early disclosure: With mutual agreement between all parties
Primary Email: [email protected]
PGP Key: OpenPGP keyserver
Limited testing is permitted on production systems, but you must not impact service availability or access data belonging to others.
Please report it directly to the third-party vendor and inform us if it affects our implementation.
No, please wait until we've had adequate time to investigate and address the issue.
Contact us immediately. If you were following this policy in good faith, we will work with you to resolve the situation.
You will receive an automated confirmation within 24 hours, followed by human acknowledgment within our stated response times.
