Security Policy - Responsible Disclosure

Overview

We take the security of our systems and services seriously. We appreciate the security research community's efforts to help us maintain the highest security standards. This policy outlines the guidelines for security researchers when searching for or reporting security vulnerabilities.

Scope

In Scope

The following systems and services are within the scope of our security research program:

Main website and web applications: https://subnoto.com and all subdomains

API endpoints: All publicly accessible API endpoints

Infrastructure: Publicly accessible network services and infrastructure

Third-party integrations: Security issues in our implementation of third-party services

Out of Scope

The following areas are considered out of scope for our security research program:

Third-party services: Issues in third-party services we use (report directly to the vendor)

Physical security: Physical access to our facilities or equipment

Social engineering: Attacks against our employees or users

Denial of Service attacks: Any testing that could impact service availability

Spam or content injection: Non-security related content issues

Issues requiring physical access to user devices or accounts

Responsible Disclosure Guidelines

What We Expect From You

Do:

Provide detailed reports with clear steps to reproduce the vulnerability

Allow reasonable time for us to investigate and address the issue before public disclosure

Avoid accessing, modifying, or deleting data belonging to others

Only test against systems you own or have explicit permission to test

Respect user privacy and do not access or retain personal information

Report vulnerabilities as soon as possible after discovery

Use the latest version of applications when testing

Don't

Engage in activities that could harm our systems, services, or users

Access, modify, or delete data that doesn't belong to you

Disrupt our services or degrade the user experience

Perform testing that could impact other users

Share vulnerabilities publicly before we've had time to address them

Demand compensation or threaten public disclosure for leverage

Safe Harbor

We commit to the following safe harbor for security researchers who:

Follow this responsible disclosure policy

Report vulnerabilities in good faith

Do not violate any laws or breach any agreements

Our commitments:

We will not pursue legal action against researchers acting in good faith

We will work with researchers to understand and resolve security issues

We will acknowledge researchers who help improve our security (with permission)

We will provide reasonable time for investigation and remediation

Reporting Process

How to Report a Vulnerability

Step 1: Initial Report

Send your initial report to our security team using one of these methods:

Security Portal: https://subnoto.com/.well-known/security.txt

Step 2: Required Information

Please include the following information in your report:

Summary: Brief description of the vulnerability

Severity: Your assessment of the potential impact

Steps to Reproduce: Detailed, step-by-step instructions

Proof of Concept: Evidence demonstrating the vulnerability

Affected Systems: Specific URLs, applications, or systems affected

Browser/Environment: Technical details about your testing environment

Potential Impact: Description of what an attacker could achieve

Suggested Fix: Recommendations for remediation (if applicable)

Step 3: Our Response Process

We will respond according to the following timeline:

Initial acknowledgment: Within 2 business days

Triage and validation: Within 5 business days

Regular updates: Every 7 days during investigation

Resolution timeline: Varies based on severity and complexity

Severity Classification

We use the following severity levels based on CVSS v3.1 scoring:

Severity Levels Severity Range Examples
Critical 9.0-10.0 Remote code execution on critical systems, Full system compromise, Mass data exposure
High 7.0-8.9 Privilege escalation to admin level, Significant data exposure, Authentication bypass on sensitive systems
Medium 4.0-6.9 Limited privilege escalation, Moderate data exposure, Cross-site scripting with significant impact
Low 0.1-3.9 Information disclosure with minimal impact, Minor authentication issues, Low-impact injection vulnerabilities

Communication Guidelines

Response Times

Critical/High: Initial response within 24 hours, updates every 2-3 days

Medium: Initial response within 48 hours, updates weekly

Low: Initial response within 5 business days, updates bi-weekly

Public Disclosure

We follow a coordinated disclosure approach:

Standard timeline: 90 days from initial report

Extended timeline: May be negotiated for complex issues

Immediate disclosure: For issues actively being exploited

Early disclosure: With mutual agreement between all parties

Contact Information

Security Team Contacts

Primary Email: [email protected]

PGP Key: OpenPGP keyserver

Frequently Asked Questions

Can I test on production systems?

Limited testing is permitted on production systems, but you must not impact service availability or access data belonging to others.

What if I find a vulnerability in a third-party service you use?

Please report it directly to the third-party vendor and inform us if it affects our implementation.

Can I publicly discuss the vulnerability before it's fixed?

No, please wait until we've had adequate time to investigate and address the issue.

What happens if I accidentally cause damage during testing?

Contact us immediately. If you were following this policy in good faith, we will work with you to resolve the situation.

How do I know if my report was received?

You will receive an automated confirmation within 24 hours, followed by human acknowledgment within our stated response times.

Logo

Privacy-friendly e-signatures made in France 🇫🇷

© 2025 Subnoto. All rights reserved.

Subscribe

BlogTry now