Vulnerability Disclosure Policy

Introduction

The security of our systems and the privacy of the individuals whose data we protect is fundamental to everything we do. If you believe you have discovered a security vulnerability in any SafePorter or DataProtected system, we encourage you to report it to us responsibly.

This policy describes how to submit vulnerability reports, what we ask of you, and what you can expect from us.

Scope

This policy applies to vulnerabilities in the following systems and services operated by SafePorter LLC:

safeportersecure.com
ourdataprotected.com (Admin Portal)
mydataprotected.com (Survey Platform)
Any associated APIs, subdomains, or infrastructure supporting these services

This policy does not apply to third-parnot owned or operated by SafePorter, even if they integrate with or link to our systems.

How to report a vulnerability

Please send vulnerability reports to security@safeportersecure.com. If you need to transmit sensitive technical details, request our PGP public key and we will provide it.

When reporting, please include as much of the following as possible:

A description of the vulnerability and its potential impact
The affected system(s) and URL(s)
Step-by-step instructions or a proof of concept to reproduce the issue
Any tools, scripts, or screenshots that demonstrate the vulnerability
Your assessment of severity (Critical, High, Medium, Low)
Your name and contact information (unless you prefer to report anonymously)

What we ask of you

Act in good faith and avoid actions that could harm SafePorter, our clients, or the individuals whose data we protect
Do not access, modify, delete, or exfiltrate data belonging to others
Do not perform denial of service attacks, social engineering, or physical security testing
Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it
Stop testing and report immediately if you encounter any personally identifiable information or sensitive data
Comply with all applicable laws

What you can expect from us

Acknowledgment of your report within 5 business days
An initial assessment and expected timeline for resolution within 15 business days
Open communication throughout the remediation process
Notification when the vulnerability has been resolved
We will not pursue legal action against researchers who discover and report vulnerabilities in good faith and in accordance with this policy

Safe harbor

SafePorter considers security research conducted in accordance with this policy to be authorized conduct. We will not initiate legal action against researchers who comply with this policy. If legal action is initiated by a third party against a researcher for activities conducted in accordance with this policy, we will make reasonable efforts to make it known that the researcher's actions were authorized.

Out of scope

The following are generally considered out of scope unless they can be demonstrated to have meaningful security impact:

Missing HTTP security headers that do not lead to a directly exploitable vulnerability
SSL/TLS configuration issues on non-production systems
Clickjacking on pages with no sensitive actions
Rate limiting issues on non-authentication endpoints
Software version disclosure without a demonstrated exploit
Reports from automated tools without manual verification
Issues in third-party components that are not directly exploitable through our systems

Recognition

We appreciate the work of security researchers who help us keep our systems safe. With your permission, we will acknowledge your contribution. SafePorter does not currently operate a paid bug bounty program.

Changes to this policy

We may update this policy from time to time. The current version will always be available at this URL.