Scopebase
Security

Responsible Disclosure Policy

Scopebase welcomes reports from security researchers who identify vulnerabilities in our systems. We are committed to working with you to address issues responsibly and transparently.

How to Report a Vulnerability

Send an email to security@scopebase.org with the subject line Security Vulnerability Report. Include as much detail as possible:

Description: A clear description of the vulnerability and the affected component or endpoint.
Reproduction steps: Step-by-step instructions to reproduce the issue, including any payloads, URLs, or request headers.
Impact assessment: Your assessment of the potential impact — who is affected and what data or functionality could be compromised.
Your contact information: An email address or other contact method so we can follow up with you.

Our Commitments to You

Respond to your report within 2 business days to acknowledge receipt.
Investigate all good-faith reports thoroughly and keep you informed of our progress.
Notify you when the vulnerability has been resolved or mitigated.
Not pursue legal action against researchers acting in good faith under this policy.
Credit you in our acknowledgments section if you wish (opt-in).

Out of Scope

The following activities are not covered by this policy and may result in your report being deprioritized or legal action:

Denial-of-service (DoS or DDoS) attacks against production infrastructure.
Social engineering attacks targeting Scopebase staff or contractors.
Testing production systems with real user data or customer accounts that are not your own.
Automated vulnerability scanning that generates significant load on our servers.
Physical security attacks against our infrastructure providers.
Reports based solely on automated scanner output without manual validation.

Response Timeline

Best effort
Initial acknowledgment of your report.
Best effort
Preliminary severity assessment and remediation plan.
Best effort
Target resolution for critical and high severity issues.

Safe Harbor

Scopebase considers security research conducted under this policy to be authorized access. We will not initiate legal action against you for conducting research in compliance with these guidelines.

If third parties initiate legal action against you for work conducted under this policy, we will make clear that your activities were authorized and conducted in good faith.

Acknowledgments

No acknowledgments yet. Be the first to responsibly disclose a vulnerability.

Report a Vulnerability

Email our security team directly. Do not report vulnerabilities through public GitHub issues or social media.

security@scopebase.org
Responsible Disclosure | Scopebase