Vulnerability Disclosure Policy

1. Policy Overview

CapEngage values the work of security researchers in helping us identify and address security vulnerabilities. This Vulnerability Disclosure Policy establishes guidelines for responsible disclosure of security issues in our systems.

We commit to working with security researchers who follow this policy and will not take legal action against researchers who act in good faith.

2. Safe Harbor

We will not pursue legal action or initiate law enforcement complaints against security researchers who:

• Act in good faith to help us improve our security
• Follow this disclosure policy
• Do not access or exfiltrate customer data
• Do not cause disruption to our services
• Report vulnerabilities to us before public disclosure

This safe harbor applies as long as you comply with this policy and applicable laws.

3. What to Report

We encourage reporting of security vulnerabilities including:

• Injection Vulnerabilities: SQL, NoSQL, command injection, etc.
• Cross-Site Scripting (XSS): Reflected, stored, DOM-based XSS
• Authentication Issues: Weak authentication, session management flaws
• Authorization Flaws: Privilege escalation, access control bypass
• Information Disclosure: Sensitive data exposure, improper error handling
• Security Misconfiguration: Insecure defaults, open cloud storage
• Cryptography Issues: Weak encryption, improper key management
• Business Logic Flaws: Workflow bypass, abuse of legitimate features

4. What Not to Report

The following are generally out of scope:

• Issues in third-party services integrated with our platform
• Social engineering (phishing) vulnerabilities
• Physical security issues
• UI/UX bugs without security impact
• Missing security headers or minor configuration issues
• Known vulnerabilities in outdated dependencies (unless actively exploducible)
• Denial of service attacks
• Spam or rate limiting issues

5. Testing Guidelines

When testing our systems:

• Test only against your own accounts or test accounts
• Do not access, modify, or delete customer data
• Do not perform automated scanning without prior coordination
• Do not cause service disruption or degradation
• Use minimal, non-destructive testing methods
• Stop testing immediately if you encounter customer data
• Limit testing to business hours when possible

6. How to Report

6.1 Report Submission

Send vulnerability reports to:

6.2 Report Contents

Include the following information in your report:

• Description of the vulnerability
• Steps to reproduce (minimal, non-destructive)
• Proof of concept (if applicable)
• Suggested remediation (if known)
• Your contact information
• Any relevant screenshots or logs

7. Response Process

7.1 Acknowledgment

We will acknowledge receipt of your report within 48 hours and provide a tracking reference number.

7.2 Assessment

We will assess the vulnerability and provide an initial assessment within 7 business days.

7.3 Remediation Timeline

7.4 Updates

We will provide regular updates on the remediation status until the issue is resolved.

8. Recognition

For qualifying vulnerabilities, we may offer:

• Recognition in our security hall of fame (with your permission)
• Certificate of recognition
• CapEngage swag (where applicable)
• Bounty rewards for critical vulnerabilities (at our discretion)

Recognition is at our sole discretion and depends on the severity, impact, and quality of the report.

9. Public Disclosure

We request that you do not publicly disclose vulnerabilities before we have had reasonable time to remediate them. We will:

• Coordinate public disclosure with you
• Publicly acknowledge your contribution (with your permission)
• Credit you in security advisories and release notes