Vulnerability Disclosure Policy (VDP)

At Remindax, security is a top priority. We value the contributions of the security community and welcome reports of vulnerabilities that could impact our systems, users, or data. This policy outlines the rules and guidelines for responsible reporting.

1. Scope

The following assets are in scope:

  • www.remindax.com
  • app.remindax.com
  • api.remindax.com

The following are out of scope:

  • Third-party services (e.g., payment providers, hosting platforms)
  • Denial-of-Service (DoS) and brute-force attacks
  • Social engineering or phishing attempts against our employees or users

2. Rules & Guidelines

✅ Do:

  • Report vulnerabilities privately to us at [email protected].
  • Provide a detailed report including steps to reproduce, screenshots, and proof-of-concept (PoC) code if possible.
  • Give us reasonable time to investigate and fix the issue before publicly disclosing it.

🚫 Do Not:

  • Perform actions that could damage, disrupt, or degrade services (e.g., DoS attacks).
  • Access, modify, or delete any data that is not yours.
  • Exploit vulnerabilities beyond what is necessary for testing.
  • Use automated scanning tools that may overload our systems.
  • Conduct social engineering, phishing, or physical security testing.

3. Response Timeline

  • Acknowledgment: Within 5 - 7 business days of submission.
  • Initial investigation & classification: Within 14 days.
  • Remediation & fix timeline: Based on severity, we will provide updates.

4. Severity Assessment

We classify vulnerabilities based on industry standards like CVSS:

  • Critical: High-impact vulnerabilities leading to full account takeover or remote code execution.
  • High: Authentication bypasses, serious data exposure, or privilege escalation.
  • Medium: Moderate risk vulnerabilities requiring specific conditions to exploit.
  • Low: Minor security issues with limited impact.

5. Out-of-Scope Issues

  • Missing security headers (unless leading to a specific attack).
  • Clickjacking on non-sensitive pages.
  • Self-XSS (exploiting vulnerabilities on yourself).
  • Rate limiting issues without clear exploitability.
  • Reports from automated scanners without proof-of-concept.

6. Legal Safe Harbor

We are committed to working with security researchers in good faith. If you follow our rules & guidelines, we will:

  • Not take legal action against you for responsible reporting.
  • Not suspend or block your account for ethical testing.

7. Recognition & Acknowledgment

At this time, we do not offer monetary rewards. However, we may acknowledge researchers who responsibly disclose high-impact vulnerabilities on our Security Hall of Fame.

8. How to Report a Vulnerability

If you have found a security vulnerability, please report it via email:

📩 Email: [email protected]

We sincerely appreciate your efforts in keeping Remindax secure!