Vulnerability Disclosure Policy

1. Reporting a Vulnerability

Please email security@cyberhorizon.co with enough detail for us to reproduce the issue — typically the affected URL or component, a description of the vulnerability and its impact, and step-by-step reproduction instructions. Proof-of-concept material is welcome.

2. Our Commitment

• We will acknowledge your report promptly and keep you informed of our progress.
• We will investigate and remediate valid issues as quickly as is practical, based on severity.
• We will not pursue legal action against researchers who act in good faith and within this policy.
• We are happy to credit researchers who report valid issues, where you wish to be acknowledged.

3. Guidelines for Researchers

To act in good faith under this policy, please:

• Make a genuine effort to avoid privacy violations, data destruction, and service degradation.
• Only interact with accounts you own or have explicit permission to test.
• Do not access, modify, or exfiltrate data that does not belong to you.
• Give us a reasonable time to remediate before any public disclosure, and coordinate timing with us.

4. Out of Scope

The following are generally not eligible: denial-of-service attacks, social engineering or phishing of our staff or customers, physical attacks, automated scanning without a demonstrated impact, and reports affecting only unsupported or third-party systems. Vulnerabilities in our sub-processors should be reported to the relevant provider.

5. Safe Harbour

Activities conducted consistently and in good faith with this policy will be considered authorised conduct, and we will not initiate legal action against you. If a third party brings action against you for activities conducted in accordance with this policy, we will make it known that your actions were authorised.

Contact

security@cyberhorizon.co