Responsible Disclosure

Our responsible vulnerability disclosure policy. We thank security researchers for reporting vulnerabilities responsibly.

Scope

This policy applies to vulnerabilities discovered in infrastructure and applications belonging to SecureWarp, including:

  • The main domain and subdomains of securewarp.pl
  • Publicly accessible web applications and APIs
  • Technical infrastructure operated by SecureWarp

This policy does not cover vulnerabilities in the systems of external suppliers or clients of SecureWarp.

Reporting Rules

We ask security researchers to comply with the following rules:

  • Do no harm — do not modify, delete or access other users' data
  • Do not disrupt services — avoid DoS attacks, mass scanning and automated brute-force attacks
  • Do not disclose publicly — do not publish information about a vulnerability before receiving confirmation of its remediation or before the coordinated disclosure deadline has passed
  • Act in good faith — reports must concern genuine security vulnerabilities

Response Timeline

  • Acknowledgement of receipt: within 3 business days
  • Initial assessment: within 7 business days
  • Status update: every 14 days
  • Remediation of critical vulnerabilities: within 30 days
  • Coordinated disclosure: after remediation or after 90 days

Rewards

SecureWarp does not operate a formal bug bounty programme with financial rewards. For responsible reports we offer:

  • Public acknowledgement in our Hall of Fame section (with the researcher's consent)
  • A LinkedIn endorsement or written reference letter
  • The opportunity to discuss a collaboration

Exclusions

The following types of reports are excluded from the scope of this policy:

  • Vulnerabilities requiring physical access to a device
  • Social engineering attacks against SecureWarp employees
  • DNS configuration issues that do not constitute security vulnerabilities
  • Software versions without documented security impact
  • Vulnerabilities in third-party systems not under SecureWarp's control

Legal Protection

SecureWarp will not take legal action against researchers acting in good faith and in accordance with this policy. We treat responsible disclosures as a valuable contribution to the security of our systems.

SECURITY CONTACT

Please send vulnerability reports to: security [at] securewarp.pl

In your message, please include: a description of the vulnerability, steps to reproduce it, the potential impact, and your contact details (optional).

Technical details are available in the .well-known/security.txt file.