Responsible Disclosure
If you've found a security issue in VolatiCloud, thank you for taking the time to tell us. This page is the canonical place to report it and lays out exactly what you can expect from us in return — acknowledgement timeline, scope, safe-harbor commitments, and the bug-bounty status.
How to Report
Email: [email protected]
Please include:
- A short description of the issue and its impact
- Steps to reproduce, including any URLs, request bodies, payloads, or test accounts you used
- The date and approximate time you observed the issue
- Any prior disclosure — whether you've shared this information with anyone else
If your report contains sensitive details, encrypt it with our PGP key (fingerprint and key block: forthcoming — request the key from the same address and we'll send it to you).
What You Can Expect From Us
| Commitment | Timeline |
|---|---|
| Acknowledgement of your report | Within 48 hours (often the same business day) |
| First severity assessment with preliminary classification (Critical / High / Medium / Low / Informational) | Within 5 business days |
| Status updates until the issue is resolved | At least every two weeks |
| Public credit in our security advisories (if you want it) | Once the fix has shipped |
What We Ask of You
- Give us reasonable time to fix the issue before disclosing publicly. We aim for 90 days; we'll work with you if a particular issue needs more or less time.
- Don't access, modify, or download data that isn't yours. A proof of concept on your own account is fine; pivoting to other accounts is not.
- Don't run denial-of-service tests against production. A staging environment can be made available for high-volume tests on request.
- Don't social-engineer our employees, contractors, or vendors.
If you operate within these guidelines, we will not pursue legal action against you for your research. This is our public safe-harbor commitment.
Bug Bounty
We're operating a public bug-bounty program — to be confirmed at launch time. The program will cover in-scope assets, severity-based rewards, and a formal SLA. Until that program is publicly live, we still welcome vulnerability reports through the email address above and will compensate qualifying reports at our discretion.
In-Scope Targets
app.volaticloud.com— production dashboardapi.volaticloud.com— production GraphQL APIdocs.volaticloud.com— knowledge center (this site)- Mobile apps (iOS / Android) — once published
- Source code in any of our public repositories under
github.com/volaticloud
Out of Scope
- Third-party services we depend on (report to that vendor directly)
- Self-XSS, clickjacking on pages without sensitive actions, missing security headers without exploitable impact, automated scanner output without manual validation
- Findings that require a compromised end-user device
- Theoretical vulnerabilities without a demonstrable impact
- Best-practice deviations that are not exploitable
Hall of Fame
Researchers whose reports led to material security improvements are acknowledged here:
- (Awaiting first acknowledgement — yours could be the first.)
Related guides
- Security Overview — High-level summary of what we protect today.
- Threat Model — Actors, defenses, and the trust roadmap.
- Encryption — Implementation details of at-rest and in-transit encryption.