# security.txt
# Security Disclosure Information for Hackolade

Contact: mailto:security@hackolade.com
Expires: 2026-08-01T22:00:00.000Z
Preferred-Languages: en,fr
Policy: https://app.riskledger.com/p/shared/36724fc5ba0b4f9084c0cf2bc8834cce/assessment

# If you believe you have found a security vulnerability on our site or in any of our products, please contact us at mailto:security@hackolade.com
# We encourage responsible disclosure and are committed to addressing all security concerns promptly.

# Vulnerability Disclosure Policy
# At Hackolade, we take security seriously and appreciate the efforts of security researchers who help us ensure the safety and security of our systems. To streamline the reporting process and ensure that your findings are properly evaluated, we have established the following guidelines.

# Scope
# The following areas are considered in scope for vulnerability testing and reporting:
# - Web Application: https://hackolade.com and all associated subdomains
# - API Endpoints: All publicly accessible API endpoints
# - Desktop Applications: Hackolade Studio
# - Open-Source Projects: Any open-source repositories maintained by Hackolade

# Out of Scope
# The following are out of scope and should not be included in vulnerability reports:
# - Physically-local attacks: Attacks allowing an attacker to log into a user's device as that user, or allowing an attacker to run software with the privileges of an operating system user account. 
# - Denial of Service (DoS) attacks: Any form of resource exhaustion, including bandwidth, CPU, or memory consumption.
# - Social Engineering: Phishing, vishing, or any other type of social engineering attacks against our employees or customers.
# - Clickjacking on pages with no sensitive actions: Reports of clickjacking vulnerabilities that do not lead to sensitive actions.
# - Content Spoofing/Text Injections: Any vulnerabilities limited to text injections that do not result in code execution.
# - Missing Security Headers: Reports about missing security headers (e.g., X-Frame-Options, X-Content-Type-Options) unless they lead to an exploit.
# - Reports from Automated Scanners: Vulnerabilities identified solely through automated tools without accompanying proof of concept or impact assessment.
# - Issues in Third-Party Services: Vulnerabilities in services, platforms, or software not directly controlled or managed by Hackolade.

# What Qualifies as a Valid Vulnerability
# We consider the following as valid and actionable security vulnerabilities:
# - Cross-Site Scripting (XSS): Any form of cross-site scripting that allows an attacker to execute malicious scripts in the context of a user’s browser.
# - SQL Injection: Injection vulnerabilities that allow unauthorized access to or modification of data.
# - Authentication Bypass: Issues that allow an attacker to bypass authentication mechanisms.
# - Remote Code Execution (RCE): Vulnerabilities that allow attackers to execute code on the server.
# - Privilege Escalation: Any issues that allow a user to gain higher privileges than intended.
# - Sensitive Data Exposure: Inadvertent exposure of sensitive data such as personal information, financial data, or cryptographic keys.
# - CSRF: Cross-Site Request Forgery attacks that can perform unauthorized actions on behalf of an authenticated user.

# Evaluation Process
# - Submission Review: All submitted reports are promptly reviewed by our security team. Reports that meet our scope and validity criteria will proceed to the next step.
# - Validation: Our team will attempt to reproduce the reported vulnerability. If validated, we will begin to assess its severity and impact.
# - Response: We will notify you of the status of your report, including whether it has been accepted, rejected, or requires more information.
# - Remediation: If a vulnerability is confirmed, our development team will work on a fix. You will be kept informed throughout this process.
# - Acknowledgment: Once the issue is resolved, we will provide appropriate recognition on our acknowledgments page and, where applicable, offer a reward based on the severity and impact of the vulnerability.

# Reporting Guidelines
# - Detailed Description: Include a detailed description of the vulnerability, the affected areas, and the potential impact.
# - Proof of Concept (PoC): Provide a PoC or detailed steps to reproduce the issue. This is crucial for validating the vulnerability.
# - Scope of Impact: Explain the potential impact of the vulnerability, including any real-world scenarios where it could be exploited.
# - Screenshots/Video: Attach any screenshots or videos that demonstrate the issue, as they can be very helpful in understanding the # - vulnerability.