Responsible Disclosure Policy
We are a security company. If you find a hole in our product or our site, we want to hear about it, and we will treat you well for telling us.
security@sabikisecurity.com
Tell us what you found, how to reproduce it, and what you think the impact is. Include your name if you would like credit. That is all we need.
What we promise you
| Our commitment | |
|---|---|
| Acknowledgement | Within 2 business days we will confirm we have your report and that a human is reading it. |
| Triage | Within 5 business days we will tell you whether we have reproduced it, how we have rated it, and what we intend to do. |
| Fix | We will keep you updated while we fix it, and we will tell you when it is done. |
| Credit | If you want it, we will credit you publicly when the fix ships. If you would rather stay anonymous, that is fine too. |
| Safe harbour | If you act in good faith and within this policy, we will not pursue legal action against you, and we will say so to anyone who asks. |
What we ask of you
- Give us a reasonable chance to fix it before you go public. We aim to have a fix out well within 90 days. If it is taking longer, talk to us; we will not hide behind the clock.
- Do not access, modify or delete other people's data. If you find you can, stop, and tell us. Prove the vulnerability, do not exploit it.
- Do not degrade the service. No denial-of-service testing, no automated scanning at volume, no social engineering of our staff or our customers.
- Do not test a customer's Microsoft 365 tenant. That tenant is not ours to authorise, and testing it may be a criminal offence regardless of your intent.
In scope
- sabikisecurity.com and its subdomains
- portal.sabikisecurity.com, the AIRM application
- The AIRM Microsoft Entra application and the Graph permissions it requests
Out of scope
These are things we already know about, or that are not ours to fix. Reporting them will not earn a response.
- Findings from automated scanners without a demonstrated, exploitable impact
- Missing security headers with no demonstrated exploit path
- Social engineering, phishing, or physical attacks against our staff or offices
- Vulnerabilities in third-party services we do not control, including Microsoft, Netlify and Cal.com. Report those to them.
- Denial of service, or anything that requires it
Bounties
We do not currently run a paid bounty programme. We will say so plainly rather than imply one and then decline to pay. What we offer is a fast, honest response, public credit if you want it, and safe harbour. If we start paying, this page will say so.
Encryption
If you would rather encrypt your report, email security@sabikisecurity.com and ask for our public key. We will send it.
← All legal documents