Security Binder

Vulnerability Disclosure Policy

Security Binder welcomes good-faith reports of security vulnerabilities affecting Security Binder services.

This policy explains how to report vulnerabilities, what systems are in scope, what testing is not permitted, and how we handle coordinated disclosure.

Contact

Report vulnerabilities by email to info@nonasec.com.

Scope

In scope:

  • securitybinder.com
  • app.securitybinder.com, if applicable
  • public Security Binder application endpoints owned and operated by Security Binder

Staging, development, preview, or test environments are out of scope unless we explicitly authorize testing for a specific report or engagement.

Out of scope

  • denial-of-service or resource-exhaustion testing
  • spam, phishing, or social engineering
  • physical attacks
  • attacks against employees, contractors, customers, or partners
  • attempts to access, modify, delete, or exfiltrate customer data
  • automated high-volume scanning
  • credential stuffing
  • reports based only on missing security headers without an exploitable impact
  • reports based only on software version banners without exploitability
  • clickjacking or CSP findings without a demonstrated security impact
  • issues in third-party services not controlled by Security Binder

Authorization boundaries

Good-faith testing is authorized only when it stays within this policy, avoids harm, avoids privacy violations, and stops immediately after identifying a potential vulnerability.

Do not access, retain, modify, destroy, or disclose customer data. If you encounter non-public data, stop testing and report the issue immediately.

Reporting expectations

Please include:

  • affected URL or endpoint
  • vulnerability type
  • steps to reproduce
  • potential impact
  • relevant screenshots or proof of concept
  • whether any non-public data was encountered
  • your preferred contact method

Disclosure

Do not publicly disclose a vulnerability before we have investigated and had a reasonable opportunity to remediate it.

We will make a good-faith effort to acknowledge valid reports and coordinate remediation, but we do not guarantee a bounty, payment, public credit, or a specific remediation timeline.

No bounty

Security Binder does not currently operate a bug bounty program.

Safe harbor

For security research conducted in good faith and in compliance with this policy, we will not initiate legal action against you for the research activity itself. This does not authorize privacy violations, data exfiltration, destructive testing, denial-of-service activity, social engineering, or activity outside the scope of this policy.