Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

Version 1.1 — August 17, 2025

Introduction

We are committed to protecting users' information and ensuring the security of our systems. This policy provides guidelines for security researchers to responsibly conduct vulnerability discovery and report findings to us.

This document outlines: what systems are in scope, what testing is authorized, how to submit reports securely, and how long to wait before public disclosure.

Authorization & Safe Harbor

If you make a good faith effort to comply with this policy, your research is authorized. We will not pursue or recommend legal action, and we will not consider your activities a violation of our Terms of Service, the Computer Fraud and Abuse Act (CFAA), the DMCA, or similar laws. If a third party initiates legal action for activities conducted under this policy, we will make this authorization known.

Guidelines for Research

• Report issues as soon as possible after discovery.
• Avoid privacy violations, user disruption, or data destruction/manipulation.
• Only exploit to the extent necessary to confirm a vulnerability; do not maintain persistence, exfiltrate data, or pivot to other systems.
• If you access any sensitive data (PII, financial, proprietary, or trade secrets), stop immediately, report it, and do not disclose the data.
• Allow us up to 90 days to remediate before public disclosure, unless otherwise agreed.
• Do not submit high volumes of low-quality reports or raw automated scanner output without evidence of impact.

Prohibited Testing

• Denial of Service (DoS/DDoS) or any testing that degrades service availability.
• Physical security testing (e.g., office access, tailgating).
• Social engineering (e.g., phishing, vishing).
• Attacks on systems or services outside the defined scope.

Scope

This policy applies to the primary website of the domain where this policy is published and its immediate subdomains, unless explicitly excluded.

Out of scope: staging/test environments; vendor-managed systems; services not expressly listed as in scope; vulnerabilities in third-party providers (report directly to the vendor).

If unsure whether a system is in scope, contact security@7thcircledesigns.com before testing.

Out of Scope Findings (Won't Be Accepted)

• Automated scanner results without demonstrated impact/exploitability.
• Self-XSS (affecting only the reporting user).
• Clickjacking on non-sensitive pages.
• Missing SPF/DKIM/DMARC (these are monitored separately).
• Use of outdated software/libraries without a demonstrable vulnerability.

Reporting a Vulnerability

Send reports to: disclosure@pm.7thcircledesigns.com

Anonymous submissions are allowed. If you provide contact information, we will acknowledge receipt within 3 business days.

By submitting a vulnerability, you acknowledge that no monetary compensation is offered and you waive any future payment claims related to your submission.

Secure Submission

For encrypted communication, use our PGP key and security.txt published at:

• https://senderfortify.com/.well-known/security.txt
• https://senderfortify.com/.well-known/pgp.txt

What We'd Like to See from You

• Where the vulnerability was found and potential impact.
• Steps to reproduce (proof-of-concept scripts or screenshots are helpful).
• Reports written in English, if possible.

What You Can Expect from Us

• Acknowledgment within 3 business days (if contact info is provided).
• Confirmation of the vulnerability and transparency about remediation progress and any challenges.
• Open, ongoing dialogue until resolution.

Recognition

While we do not offer monetary rewards, researchers who responsibly disclose valid vulnerabilities may, with permission, be recognized on a Hall of Fame page.

Questions

Questions or suggestions about this policy: security@7thcircledesigns.com

Document Change History