Responsible Disclosure Policy

1. Our Commitment to Researchers

• We will acknowledge receipt of your report within 48 hours.
• We will provide an estimated timeline for remediation within 10 business days.
• We will keep you informed of our progress throughout the remediation process.
• We will not pursue legal action against researchers who act in good faith.
• We will publicly recognise your contribution (with your permission) in our Hall of Fame.

2. Scope — In Scope

• Spakto web applications and APIs (*.spakto.com).
• Spakto mobile applications.
• Spakto platform and core services.
• Authentication and authorisation vulnerabilities.
• Injection vulnerabilities (SQL, command, LDAP, etc.).
• Cross-site scripting (XSS) and cross-site request forgery (CSRF).
• Sensitive data exposure and insecure direct object references.
• Server-side request forgery (SSRF).

3. Scope — Out of Scope

• Vulnerabilities in third-party services not directly under Spakto's control.
• Denial of service (DoS/DDoS) attacks.
• Social engineering attacks against Spakto employees.
• Physical security attacks against Spakto premises.
• Spam or email bombing.
• Automated scanning without prior approval.
• Vulnerabilities requiring unlikely user interaction.

4. How to Report

Please email your findings to security@spakto.com with the subject line 'Responsible Disclosure'. Include a clear description of the vulnerability, steps to reproduce, potential impact, and any supporting evidence (screenshots, PoC code, etc.). Please encrypt sensitive findings using our PGP key, available on request.

5. Guidelines for Researchers

• Do not access, modify or delete data that does not belong to you.
• Do not perform actions that could harm the availability of our services.
• Do not disclose the vulnerability publicly before we have had a reasonable time to remediate it (coordinated disclosure — 90 days).
• Do not conduct testing against production systems beyond what is necessary to confirm the vulnerability.
• Use test accounts when possible and minimise the impact of your testing.

6. Coordinated Disclosure Timeline

We follow a 90-day coordinated disclosure policy. We will work with you to agree on a disclosure date. If we require more time due to complexity, we will communicate this openly and request an extension. We reserve the right to disclose findings after 90 days regardless of remediation status, with credit to the reporter.

7. Bug Bounty

Spakto currently operates a private bug bounty programme for select researchers. Rewards are determined based on severity (CVSS score), exploitability and business impact. Critical vulnerabilities may receive rewards up to $5,000 USD. Please contact security@spakto.com to enquire about eligibility.

8. Safe Harbour

Spakto will not initiate legal action against individuals who discover and report security vulnerabilities in good faith in accordance with this policy. We consider security research conducted in line with these guidelines to be authorised and beneficial. We will not refer researchers to law enforcement for compliant disclosures.

9. Hall of Fame

We maintain a Security Hall of Fame to recognise researchers who have made significant contributions to our security. Researchers are listed with their permission. We are grateful to all those who help keep Spakto and our customers secure.