Vulnerability Disclosure Policy | Securø
Secur0
Menu
Contact
Hacker area
ES

Vulnerability Disclosure Policy

Introduction

We believe that security is a shared responsibility. We deeply value collaboration with security researchers and encourage responsible vulnerability disclosure.

This policy describes how you can research, report, and collaborate with us safely and legally.

Our commitments

When working with us under this policy, you can expect us to:

Confirmation and communication

  • Confirm receipt of your report within a maximum of 3 business days.
  • Provide an estimate of the time needed to investigate and mitigate the vulnerability.
  • Keep you regularly informed about progress and any changes to timelines.

This is in line with the recommendation to define response times and transparent communication throughout the process.

Vulnerability resolution

We commit to:

  • Validate, prioritize, and fix vulnerabilities diligently.
  • Prioritize according to impact, risk, and technical complexity.
  • Maintain open and constructive communication during remediation.

Vulnerabilities will initially remain non-public to allow for correction before disclosure.

Responsible disclosure

Once the vulnerability is resolved:

  • We may jointly agree on public disclosure of the report.
  • If there is no objection from either party, it may be disclosed after a reasonable period.
  • In complex cases, disclosure may be delayed to allow for secure remediation.

Recognition

We will publicly acknowledge your contribution if:

  • The vulnerability is valid.
  • You are the first person to report it.
  • You wish to receive public recognition (you may remain anonymous if you prefer).

Safe Harbor

If you follow this policy:

  • We consider your research authorized and in good faith.
  • We will not take legal action against you for research conducted in accordance with this policy.
  • We waive in a limited manner restrictions from our legal terms that may interfere with security research.
  • If a third party initiates legal action, we will do what is reasonable to confirm that you acted in accordance with this policy.

This follows the Safe Harbor principle recommended to protect researchers.

What we expect from you

By participating in our program, you agree to act in good faith and:

Fundamental principles

  • Respect the program rules.
  • Act for the common good.
  • Not exploit vulnerabilities beyond what is necessary.
  • Not access, modify, or destroy user data without authorization.
  • Report the vulnerability immediately.

These principles reflect HackerOne's responsible disclosure philosophy.

Best practices during testing

We ask that you:

  • Avoid affecting system availability.
  • Minimize access to sensitive data.
  • Stop testing if you encounter personal or confidential data.
  • Use only your own accounts or accounts with explicit permission.
  • Use only official channels to communicate vulnerabilities.
  • Act with patience and collaboration during the validation process.

Prohibited actions

The following activities are not authorized by default:

  • Denial of service attacks (DoS/DDoS)
  • Social engineering or phishing
  • Brute force or credential theft
  • Malware installation
  • Interception of private communications
  • Spam or attacks that degrade user experience
  • Modification or deletion of system data

These restrictions follow standard conduct practices in disclosure programs.

Out of scope vulnerabilities

The following are excluded by default:

Vulnerabilities without real impact

  • Theoretical issues without demonstrable exploitation
  • Clickjacking without sensitive actions
  • CSRF without relevant impact
  • Open redirects without additional impact
  • Disclosure of versions or error messages
  • Security configurations without demonstrated impact

Low-risk cases

  • Self-XSS or self-DoS
  • Attacks requiring physical access
  • Issues affecting only obsolete software
  • Lack of best practices without direct impact

Each program has its own out-of-scope vulnerabilities, make sure to review them before participating.

Reporting process

The report must include:

  • Clear description of the vulnerability
  • Reproducible steps
  • Proof of concept (PoC)
  • Impact assessment

Incomplete reports may delay the validation process and affect your reputation.

Public disclosure process

After closing the report:

  • The researcher may request disclosure.
  • If both parties agree, it will be published according to the agreed schedule.
  • If the vulnerability poses an active risk, we may disclose earlier to protect users (after contacting the Secur0 team first).
  • If a prolonged period passes without progress, responsible public disclosure may be considered (90 days).

These cases only apply to the type of disclosure selected by the company. You can access it on the guidelines page in each program.

Legality and compliance

Research conducted under this policy is considered:

  • Performed in good faith
  • Beneficial to the overall security of the Internet
  • Authorized within the applicable legal framework

You must always comply with applicable laws.