Skip to main content

Responsible Disclosure

If you've found a security issue in VolatiCloud, thank you for taking the time to tell us. This page is the canonical place to report it and lays out exactly what you can expect from us in return — acknowledgement timeline, scope, safe-harbor commitments, and the bug-bounty status.

How to Report

Email: [email protected]

Please include:

  • A short description of the issue and its impact
  • Steps to reproduce, including any URLs, request bodies, payloads, or test accounts you used
  • The date and approximate time you observed the issue
  • Any prior disclosure — whether you've shared this information with anyone else

If your report contains sensitive details, encrypt it with our PGP key (fingerprint and key block: forthcoming — request the key from the same address and we'll send it to you).

What You Can Expect From Us

CommitmentTimeline
Acknowledgement of your reportWithin 48 hours (often the same business day)
First severity assessment with preliminary classification (Critical / High / Medium / Low / Informational)Within 5 business days
Status updates until the issue is resolvedAt least every two weeks
Public credit in our security advisories (if you want it)Once the fix has shipped

What We Ask of You

  • Give us reasonable time to fix the issue before disclosing publicly. We aim for 90 days; we'll work with you if a particular issue needs more or less time.
  • Don't access, modify, or download data that isn't yours. A proof of concept on your own account is fine; pivoting to other accounts is not.
  • Don't run denial-of-service tests against production. A staging environment can be made available for high-volume tests on request.
  • Don't social-engineer our employees, contractors, or vendors.

If you operate within these guidelines, we will not pursue legal action against you for your research. This is our public safe-harbor commitment.

Bug Bounty

We're operating a public bug-bounty program — to be confirmed at launch time. The program will cover in-scope assets, severity-based rewards, and a formal SLA. Until that program is publicly live, we still welcome vulnerability reports through the email address above and will compensate qualifying reports at our discretion.

In-Scope Targets

  • app.volaticloud.com — production dashboard
  • api.volaticloud.com — production GraphQL API
  • docs.volaticloud.com — knowledge center (this site)
  • Mobile apps (iOS / Android) — once published
  • Source code in any of our public repositories under github.com/volaticloud

Out of Scope

  • Third-party services we depend on (report to that vendor directly)
  • Self-XSS, clickjacking on pages without sensitive actions, missing security headers without exploitable impact, automated scanner output without manual validation
  • Findings that require a compromised end-user device
  • Theoretical vulnerabilities without a demonstrable impact
  • Best-practice deviations that are not exploitable

Hall of Fame

Researchers whose reports led to material security improvements are acknowledged here:

  • (Awaiting first acknowledgement — yours could be the first.)
  • Security Overview — High-level summary of what we protect today.
  • Threat Model — Actors, defenses, and the trust roadmap.
  • Encryption — Implementation details of at-rest and in-transit encryption.