ArazonSecurity
Responsible Disclosure
We take security seriously and appreciate the work of security researchers who help us keep our systems and users safe.
Scope
This policy applies to vulnerabilities in:
- arazon.io and all subdomains
Qualifying Vulnerabilities
We're interested in hearing about:
- Remote code execution
- SQL injection
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Authentication/authorization bypass
- Sensitive data exposure
- Server-side request forgery (SSRF)
Out of Scope
The following are not eligible:
- Denial of service attacks
- Social engineering attacks
- Physical attacks against Arazon infrastructure
- Vulnerabilities in third-party services
- Issues already known or previously reported
- Theoretical vulnerabilities without proof of concept
Reporting Guidelines
When reporting a vulnerability:
- Provide detailed steps to reproduce the issue
- Include proof-of-concept code if applicable
- Describe the potential impact
- Do not access or modify other users' data
- Do not perform destructive testing
- Keep vulnerability details confidential until resolved
Our Commitment
When you report a vulnerability in good faith:
- We will acknowledge receipt within 24 hours
- We will provide an initial assessment within 5 business days
- We will keep you informed of our progress
- We will not pursue legal action against you
- We will credit you in our security acknowledgments (if desired)