Vulnerability Disclosure Policy

 

Purpose

We take the security of our software products seriously. This Vulnerability Disclosure Policy describes how security vulnerabilities may be reported to us and how we handle reported issues.

Sign up for Security Bulletins | Security Advisories

Scope

This policy applies to:

• Software products developed and maintained by us
• Associated build and distribution artifacts

This policy does not apply to third-party services or software not under our control.

Reporting a Vulnerability

If you believe you have discovered a security vulnerability, please report it to us responsibly.

How to Report

Please submit vulnerability reports via email at:

• infohelpwebsupergoo.com

Reports should include:

• The phrase "I am reporting a security vulnerability"
• A description of the vulnerability
• Affected product(s) and version(s)
• Steps to reproduce (if applicable)
• Any supporting materials (code, logs, sample documents)

Encrypted reports are welcome if preferred. Large files or those you consider confidential should be shared via a file sharing site of your choice.

Distinguishing Bugs from Security Vulnerabilities

We also welcome reports of general software bugs through this channel. For clarity:

• A security vulnerability is a flaw that could allow an attacker to gain unauthorized access, execute code, escalate privileges, or otherwise compromise security.
• A general bug affects functionality or performance but doesn't create a security risk (e.g., a feature not working as intended, a crash under specific conditions, or a cosmetic issue).

When submitting, please indicate whether you believe the issue has security implications and if so, what they are. This helps us prioritize our response appropriately.

Coordinated Disclosure

We ask that reporters:

• Avoid public disclosure of vulnerabilities until we have had a reasonable opportunity to investigate and address the issue
• Act in good faith and avoid actions that could harm users or systems

We do not pursue legal action against individuals who report vulnerabilities responsibly and in accordance with this policy.

 

Our Commitment

We commit to the following when handling vulnerability reports:

• Acknowledgement:
  We will acknowledge receipt of the report within 5 business days.
• Review and Triage:
  We will assess the reported issue to determine validity, severity, and impact.
• Remediation:
  Confirmed vulnerabilities will be addressed through remediation or mitigation actions based on risk and severity.
• Communication:
  Where appropriate, we will communicate status updates to the reporter during the remediation process.

Assessment will be done in the context of someone using the current release of the relevant product according to the official documentation for that product.

Response Timelines

While remediation timelines may vary depending on severity and complexity, our general targets are:

Severity	Target Response
Critical	As soon as reasonably possible
High	Within 30 days
Medium	Within 60 days
Low	As resources permit or in a future release

If a vulnerability cannot be immediately fixed, reasonable mitigations or guidance may be provided.

Out of Scope

The following are generally out of scope:

• Denial-of-service attacks
• Social engineering
• Physical security issues
• Vulnerabilities in third-party platforms not under our control
• Issues already known or publicly disclosed
• Issues that cannot be exploited

Vulnerabilities that are directly and solely caused by the product being used in a manner explicitly contraindicated in the official documentation are considered out of scope. However, vulnerabilities arising from intended use or features, even if a non-default setting is involved, are within scope.

Policy Updates

This policy may be updated periodically. The current version will always be available at this location.