Disclosure Policy

Vulnerability Disclosure Policy 

 

Introduction 

At CovertSwarm, our mission is to constantly protect our clients by outpacing the genuine threats. We believe in the power of collaboration and the crucial role the security community plays in this mission. If you’ve identified a vulnerability, we want to hear from you. Your expertise helps us ensure that our digital defences remain strong and resilient. 

Scope 

The following domains are in scope for our vulnerability disclosure program: 

  • www.covertswarm.com 
  • portal.covertswarm.com 
  • subscribe.covertswarm.com 
  • api.covertswarm.com 

Any services, applications, or systems outside of these domains are considered out of scope. Reports concerning out-of-scope systems will not be eligible for acknowledgment or rewards. 

Reports of informational/low severity risks, such as missing or improvements to HTTP headers and TLS weaknesses are appreciated but considered out of scope for this policy. 

Reporting a Vulnerability 

If you believe you have found a security vulnerability in one of our in-scope domains, we encourage you to let us know right away. We will investigate all legitimate reports and will quickly remediate and/or mitigate where technically possible. 

Please send your vulnerability report to: 

Email:[email protected] 

What We Ask of You 

  • Provide detailed steps to reproduce the vulnerability, including any proof-of-concept code or screenshots that may help us understand the issue. 
  • Refrain from publicly disclosing the vulnerability until we have had reasonable time to address it. 
  • Avoid any activities that could cause harm to our users, employees, or systems, including but not limited to: 
  • Denial of Service (DoS) attacks 
  • Social engineering attacks 
  • Physical attacks 
  • Any form of data destruction or tampering 

Our Commitment 

  • We will acknowledge receipt of your report within three business days. 
  • We will provide you with an estimated time frame for addressing the vulnerability. 
  • We will notify you when the vulnerability has been fixed. 
  • If you are the first to report a vulnerability that results in a code or configuration change, and you request it we will publicly acknowledge your contribution on our website.  
  • You will also receive exclusive CovertSwarm swag, and if the vulnerability is serious enough you may receive a financial reward. 

Legal Safe Harbor 

We will not pursue legal action against security researchers who: 

  • Follow this policy in good faith. 
  • Avoid privacy violations, destruction of data, and interruption or degradation of our services. 

Feedback 

We value your input and strive to improve our processes. If you have any feedback on how we can better handle security vulnerability reports, please let us know.