Responsible Disclosure Policy
Effective Date: March 2026
Cmospike takes the security of our systems and data seriously. We appreciate the work of security researchers and the broader community in helping us maintain a secure environment.
Scope
This policy applies to vulnerabilities discovered in:
- Our website and web applications
- APIs and services operated by Cmospike
Reporting a Vulnerability
If you believe you have found a security vulnerability, please report it to us responsibly. Contact us through the channels provided on our website with the following information:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any proof-of-concept code (if applicable)
Our Commitment
When you report a vulnerability to us, we commit to:
- Acknowledge your report within 5 business days
- Assess the vulnerability and determine its impact
- Keep you informed about the progress of the fix
- Credit you (if desired) when we disclose the vulnerability fix
Guidelines
We ask that you:
- Do not access, modify, or delete data belonging to others
- Do not perform actions that could degrade our services (e.g., denial of service)
- Do not publicly disclose the vulnerability before we have addressed it
- Act in good faith to avoid privacy violations and disruption to our services
- Only test against accounts you own or have explicit permission to test
Safe Harbor
We consider security research conducted in accordance with this policy to be authorized. We will not pursue legal action against researchers who discover and report vulnerabilities responsibly, provided they comply with the guidelines above.
Out of Scope
The following are generally out of scope:
- Social engineering attacks (e.g., phishing)
- Physical security concerns
- Vulnerabilities in third-party software or services
- Reports from automated scanning tools without demonstrated impact
Cmospike is part of the PRIMSEED ecosystem.