Security Policy

Responsible Disclosure Policy

We take security seriously. If you've discovered a vulnerability in SecOps Gateway, we want to hear from you.

Last updated: April 29, 2026

Our commitment to you

We are committed to working with security researchers to verify, reproduce, and respond to legitimate reports. If you report a valid vulnerability, we promise:

  • Acknowledge your report within 72 hours
  • Provide a timeline for investigation within 7 business days
  • Notify you when the issue is resolved
  • Give public credit (if you want it) after the fix is deployed
  • Not pursue legal action against researchers acting in good faith

How to report a vulnerability

Please send vulnerability reports via email. Do notdisclose vulnerabilities publicly before we've had a chance to fix them.

Security contact

security@secopsgateway.com

Please include in your report:

  • Type of vulnerability (e.g., XSS, SQLi, IDOR, auth bypass)
  • The URL or endpoint affected
  • Step-by-step reproduction instructions
  • Proof of concept (screenshots, video, or code)
  • Your assessment of impact and severity
  • Your contact info (for follow-up)

In scope

The following are eligible for responsible disclosure:

Web application

secopsgateway.com and all subdomains

API endpoints

All /api/* routes

Authentication

Login, registration, session management

Data exposure

Unauthorized access to user or business data

Payment flows

Billing, checkout, fee handling

Compliance data

License, insurance document handling

Out of scope

The following are not eligible and may expose you to legal risk:

  • Denial of service (DoS/DDoS) attacks
  • Physical security attacks or social engineering
  • Automated scanning that causes service degradation
  • Attacks against third-party services (Stripe, etc.)
  • Issues in third-party libraries without a viable exploit
  • Username/email enumeration without further impact
  • Password policies or brute force without account compromise
  • Rate limiting issues without demonstrated impact
  • Missing security headers without a valid exploit scenario
  • Tests against accounts you do not own or have explicit permission to test

Rules of engagement

  • Only test against accounts you own or have explicit written permission to test
  • Do not access, modify, or delete data belonging to other users
  • Do not exfiltrate, store, or share any sensitive data you access
  • Stop testing immediately if you find yourself accessing unauthorized data
  • Allow us 90 days to remediate before any public disclosure
  • Coordinate disclosure timeline with us — we will work fast

Severity classification

We classify vulnerabilities using the CVSS v3.1 standard:

Critical

9.0–10.0

Remote code execution, full system compromise, mass PII exposure

High

7.0–8.9

Privilege escalation, auth bypass, significant data breach

Medium

4.0–6.9

Stored XSS, IDOR with limited scope, sensitive data leakage

Low

0.1–3.9

Reflected XSS, minor information disclosure, limited impact

Our security practices

Encryption at rest & in transit

All data encrypted with TLS 1.3 in transit. Database and storage encrypted at rest.

Authentication

Secure session management with httpOnly cookies. Password hashing with bcrypt.

Audit logging

Comprehensive audit trail for all sensitive operations — compliance documents, payments, match actions.

Access control

Role-based access control enforced at API layer. Data isolation between account types.

Incident response

Documented IR plan with defined escalation path and breach notification procedures.

Dependency monitoring

Automated scanning for vulnerable dependencies with regular updates.

Encrypted communication

For sensitive vulnerability reports, you may request our PGP public key by emailing security@secopsgateway.com and we will provide it within 24 hours.

Legal safe harbor

We will not initiate legal action against security researchers who discover and report vulnerabilities in accordance with this policy. This safe harbor applies to good-faith research only. Testing that causes service disruption, accesses other users' data, or violates the rules above is not covered by this safe harbor.

This policy is intended to comply with CFAA, DMCA, and other applicable laws. We will work with researchers and their legal counsel if questions arise regarding scope or applicability.

Found a vulnerability?

Report it responsibly. We're grateful for your help keeping the platform secure.

Send Vulnerability Report
← HomeHow it worksPricing