Responsible Disclosure

01Our Commitment

SEC.co welcomes reports from security researchers and members of the public who identify potential vulnerabilities in our Site or systems. We are a security company, and we believe coordinated disclosure makes everyone safer. This Responsible Disclosure Policy (the “Policy”) explains what is in scope, how to report safely, the legal protections we extend to good-faith research, and what you can expect from us in return.

This Policy applies to vulnerabilities discovered in SEC.co’s own internet-facing assets. It does notauthorize testing of our clients’ systems — those are owned by the clients and are out of scope here.

02Safe Harbor

We will not pursue or support legal action against you for security research and vulnerability disclosure activities conducted in good faith and in accordance with this Policy. Specifically, if you make a good-faith effort to comply with this Policy during your research, we will:

• Consider your activity authorized under the Computer Fraud and Abuse Act and analogous laws, and we will not bring a claim against you for accidental, good-faith violations of this Policy;
• Consider your activity exempt from anti-circumvention provisions of the Digital Millennium Copyright Act (DMCA), and we will not bring a DMCA claim against you for circumventing technical measures in the course of your research;
• Work with you to understand and resolve the issue promptly, and recognize your contribution if you are the first to report a previously unknown vulnerability.

If legal action is initiated by a third party against you for activities conducted in good faith under this Policy, we will make this authorization known. This safe harbor applies only to claims under our control; it does not bind third parties, and it does not authorize activity against our clients or any system not listed in scope.

03Scope

In scope

• The SEC.co website at sec.co and its sub-domains that we operate;
• Authentication, authorization, injection, and data-exposure issues affecting those properties;
• Security misconfigurations that materially affect confidentiality or integrity.

Out of scope

• Any system belonging to our clients, or any engagement target — testing these is unlawful without the client’s own authorization;
• Third-party services and platforms we use but do not operate;
• Denial-of-service (DoS/DDoS), volumetric, or resource-exhaustion attacks; physical attacks; and social engineering of our personnel, clients, or vendors;
• Findings from automated scanners without a demonstrated, exploitable impact; missing best-practice headers or cookie flags without a concrete attack scenario; reports based solely on outdated software versions without a working proof of concept;
• Spam, content injection requiring an already-compromised account, and self-XSS.

04Rules of Engagement

To remain within this Policy and its safe harbor, you agree to:

• Avoid privacy violations and data destruction. Do not access, modify, delete, or store data that is not your own. If you encounter personal or confidential data, stop, do not download it, and report immediately.
• Minimize impact. Use only the minimum interaction necessary to demonstrate a vulnerability. Do not pivot to other systems.
• Stop if you gain access. If you obtain access to non-public data or systems, cease testing immediately and report.
• Do not run disruptive tests. No DoS, no automated high-volume scanning that degrades service, no spam.
• Keep it confidential. Give us a reasonable opportunity to remediate before disclosing publicly, and coordinate any public disclosure with us.
• Use test accounts where possible, and do not interact with accounts you do not own or have explicit permission to use.

05How to Report

Send your report to security@sec.co. To help us triage and resolve quickly, please include:

• A clear description of the vulnerability and its potential impact;
• The affected URL, endpoint, parameter, or component;
• Step-by-step reproduction instructions, including any required accounts, payloads, or request/response samples;
• A proof of concept (screenshots or a short screen recording are helpful);
• Your assessment of severity, and any suggested remediation;
• How you would like to be credited, if at all.

If you wish to encrypt your report, request our PGP key at the same address and we will provide it before you send sensitive details.

06What You Can Expect From Us

When you report in good faith under this Policy, we commit to:

• Acknowledge your report within three (3) business days;
• Triage and validate the issue and provide an initial assessment, typically within ten (10) business days;
• Keep you informed of remediation progress at reasonable intervals;
• Remediate validated vulnerabilities in a timeframe commensurate with their severity;
• Credit you for the discovery, with your permission, once the issue is resolved.

We do not currently operate a paid bug-bounty program, and submissions are not eligible for monetary reward. We are, however, genuinely grateful — and recognition is offered to researchers who help us improve.

07Recognition

With your consent, we are glad to acknowledge researchers who responsibly disclose valid, previously unknown vulnerabilities. Let us know in your report how you would like to be credited (name, handle, or anonymous).

08Changes to This Policy

We may update this Policy from time to time. The version in effect at the time of your research governs your activity. Material changes will be reflected by an updated “Last updated” date above.