Responsible disclosure

At SuperOps, we understand that protecting customer data is a significant responsibility and is our highest priority. We truly value the assistance of security researchers and people from the security community to help us keep our systems and data secure. Responsible Disclosure of security vulnerabilities will help us ensure the security and privacy of all our users.

• If you find any potential vulnerability in our products that meets the criteria listed below, please reach out to security@superops.com.
• You will hear from our InfoSec team within 24 hours of reporting the vulnerability.
• SuperOps will define the severity of the issue based on the impact and the ease of exploitation.
• It may take 1 to 5 days to validate the reported vulnerability.
• We will initiate necessary actions to fix the vulnerability in line with our commitment to security and privacy and notify you once we fix it.
• When conducting security testing, please ensure that you do not violate any of our privacy policies, modify or delete unauthenticated user data, disrupt production servers, or degrade user experience in any way.
• Conduct research only within the scope set out in our guidelines.
• Use the identified communication channel, i.e., security@superops.com, to report any vulnerability to us.
• Documenting or publishing the vulnerability details in any public domain goes against our responsible disclosure policy.
• We trust you to keep information about any vulnerability confidential until we have resolved the issue.

Reporting guidelines

When you report a vulnerability to us, please provide the following details in the report:

• Description and potential impact of the vulnerability.
• A detailed description of the steps required to reproduce the vulnerability.
• Where available, a video recording.
• Your preferred name/handle for recognition in our Security researcher hall of fame.

Domains in scope

.superops.com

Qualifying bugs

• SQL/XXE Injection and command injection
• Server-side request forgery (SSRF)
• Remote code execution (RCE)
• Misconfiguration issues on servers and application
• Cross-site request forgeries (CSRF)
• Cross-Site Scripting (XSS)
• Authentication and authorization-related issues

Non-qualified bugs

• Rate limiting, brute force attack
• HTML injection 
• User email enumeration
• Issues related to DMARC
• Clickjacking

• Email spoofing/Spam/Phishing

Hall of fame

While we do not provide any reward for responsible disclosure of unique vulnerabilities and working with us to remediate them, we would like to convey our deepest gratitude to the security researchers publicly. As a gesture of appreciation and goodwill, we will add your name to our hall of fame.

We would like to recognize the efforts of the following individuals for their contribution to our responsible disclosure program.

• Pankaj Lakshkar
• Jefferson Gonzales (Gonz)
• Yash Dharmani
• Anirudh Srinivas Balaji
• Gopikrishna
• Sakshi Dilip Patil
• Priyanshu Parmar
• Nallendhiran R
• Raj Nandalaskar 
• Ralph Desmangles
• Maulana Abdullana
• Affan Alam
• Prashant Kumar
• Laxita Purbia