Vulnerability Disclosure Policy (VDP)

We appreciate security research and welcome good-faith reports. We are not accepting external pentests at this time.

Scope

• skyalo.com, *.skyalo.com

• Skyalo mobile applications (latest public versions)

Out of scope: third-party services, DoS/traffic flooding, brute force, social engineering, physical attacks, spam/DMARC reports, version disclosure without impact, clickjacking without demonstrated impact, missing security headers without exploit.

Rules of Engagement

• Act in good faith and avoid privacy violations or service degradation.

• Use your own accounts/data only.

• Do not access or modify data that isn’t yours. If you unintentionally access non-public data, stop immediately and notify us.

• No automated scanning that impacts availability or stability.

How to Report

Email [email protected] with:

• Affected host/endpoint and environment

• Clear reproduction steps

• Minimal PoC (HTTP request/response, screenshots)

• Impact assessment and estimated severity (CVSS v3.1 preferred)

• Testing time window and source IPs

Please do not include secrets (credentials, tokens, raw database dumps) in email; redact or mask sensitive data. If you require encryption, contact us and we’ll arrange a secure method.

Safe Harbor

If you follow this policy, we will not pursue legal action and will consider your research authorized for the limited purpose of reporting the issue.

Rewards & Recognition

We currently do not offer monetary rewards. For confirmed, non-duplicate issues we offer public acknowledgment (Hall of Fame) and, upon request, a letter of appreciation. Duplicate reports may be closed without additional recognition; credit goes to the first valid report we receive.

Timelines & SLAs

• Acknowledgment: within 3 business days

• Triage status update: after review

• Coordinated disclosure: please withhold public details until a fix is available (up to 90 days)

Target remediation: Critical: 7 days; High: 30 days; Medium: 90 days; Low: backlog/as scheduled.