Responsible Disclosure

This Responsible Disclosure Policy describes how SpendSights handles security vulnerability reports and how security researchers and users can responsibly report potential issues.

Our goal is to keep our users and systems safe while discouraging abuse, extortion, or opportunistic bounty-seeking behavior.

OUR COMMITMENT

We value the efforts of individuals who act in good faith to help improve the security of our platform.

If you responsibly disclose a genuine security vulnerability, we commit to:

• Acknowledge receipt of your report in a reasonable timeframe
• Investigate and validate the reported issue
• Take appropriate remediation steps where necessary
• Communicate progress when appropriate

WHAT WE CONSIDER RESPONSIBLE DISCLOSURE

Responsible disclosure means:

• Reporting vulnerabilities privately
• Allowing us reasonable time to investigate and remediate
• Avoiding actions that could harm users, data, or system availability
• Acting in good faith, without expectation of compensation

WHAT IS NOT PERMITTED

To protect our users and systems, the following activities are strictly prohibited:

• Requesting, implying, or demanding bug bounties, rewards, or compensation
• Threatening public disclosure to force payment or priority
• Automated scanning, brute-force attacks, or denial-of-service attempts
• Accessing, modifying, or exfiltrating user data
• Exploiting vulnerabilities beyond what is strictly necessary to demonstrate impact
• Social engineering, phishing, or physical attacks

Any activity that violates applicable laws or our Terms of Service is not authorized under this policy.

SCOPE

This policy applies only to:

• Our publicly accessible web application and APIs
• Systems and services owned and operated by SpendSights

The following are out of scope:

• Third-party services or integrations
• Issues related to outdated browsers or unsupported devices
• Best-practice recommendations without demonstrable security impact
• Rate-limiting, spam, or brute-force scenarios without novel exploitability

NO BUG BOUNTY PROGRAM

SpendSights does not operate a bug bounty program.

Submitting a vulnerability report does not entitle the reporter to:

• Monetary rewards
• Public recognition
• Priority support
• Employment opportunities

Reports submitted with expectations of compensation may be ignored.

SAFE HARBOR

If you comply with this policy and act in good faith:

• We will not pursue legal action against you for the disclosure itself
• We will treat your report as confidential
• We expect you to do the same

This safe harbor does not apply to actions that are malicious, negligent, or unlawful.

HOW TO REPORT A SECURITY ISSUE

If you believe you have found a legitimate security vulnerability, please email us at contact [at] spendsights [dot] in

Please include:

• A clear description of the issue
• Steps to reproduce (proof-of-concept if applicable)
• Potential impact assessment
• Any relevant screenshots or logs

Do not include sensitive personal data in your report.

PUBLIC DISCLOSURE

You may not publicly disclose any vulnerability affecting SpendSights without our explicit written consent.

Unauthorized public disclosure may result in legal action.

POLICY UPDATES

We may update this Responsible Disclosure Policy from time to time to reflect changes in legal, technical, or operational requirements. Continued interaction with our systems constitutes acceptance of the latest version.

CONTACT

For questions regarding this policy, please contact us at contact [at] spendsights [dot] in.