Saporo is committed to ensuring the security of our users and protecting their information. This policy provides security researchers with clear guidelines for conducting vulnerability discovery activities and outlines our process for submitting and handling vulnerability reports.

⚠️ Note: While we welcome responsible disclosures, our primary interest is in vulnerabilities affecting Saporo Applications. Vulnerabilities limited to marketing websites or non-critical content (e.g., saporo.io pages) are generally out of scope, and we discourage high volumes of low-impact web-related submissions.

Authorization

If you make a good-faith effort to comply with this policy during your research:

• We will consider your research authorized.

• We will work with you to understand and resolve the issue quickly.

• Saporo will not recommend or pursue legal action related to your research.

• If a third party initiates legal action against you for activities conducted under this policy, we will make this authorization known.

Guidelines

When conducting security research under this policy, you must:

• Notify us as soon as possible after you discover a real or potential issue.

• Make every effort to avoid:

  • Privacy violations

  • Degradation of user experience

  • Disruption to production systems

  • Destruction or manipulation of data

• Use exploits only to confirm the vulnerability’s presence, not to:

  • Exfiltrate or manipulate data

  • Establish persistent access

  • Pivot to other systems

• Provide us a reasonable amount of time to remediate before public disclosure.

• Avoid submitting high volumes of low-quality or irrelevant reports.

• Stop testing immediately if you encounter sensitive data (PII, financial, or proprietary) and notify us right away.

Test Methods

The following are not authorized:

• Network denial of service (DoS/DDoS) or any test impairing system availability.

• Physical security testing (e.g., office access, tailgating).

• Social engineering (e.g., phishing, vishing).

• Non-technical vulnerability testing.

Scope

In Scope

• Saporo Applications (core platform and security products).

• Saporo Websites (limited interest, see note above).

Out of Scope

• Vendor systems and third-party services (report directly to the vendor).

• Any system not expressly listed as in scope.

If unsure whether a system is covered, contact security@saporo.io before beginning research.

Reporting a Vulnerability

We accept reports through:

• The form at the bottom of this page

• Email: security@saporo.io

Reports may be submitted anonymously. If you include contact details, we will acknowledge receipt within 3 business days.

⚠️ We do not support PGP-encrypted emails. For sensitive details, please use our HTTPS form.

What We’d Like to See in Reports

To help us triage and prioritize submissions, please include:

• The location of the vulnerability and potential impact.

• Steps to reproduce (proof-of-concept code or screenshots helpful).

• Clear and concise description (in English, if possible).

What You Can Expect From Us

If you share contact information, Saporo commits to:

• Acknowledge receipt within 3 business days.

• Confirm the vulnerability’s existence, where possible.

• Be transparent about remediation steps and potential delays.

• Maintain an open dialogue during resolution.

• Publish validated vulnerabilities and, if you wish, credit you in our Hall of Fame.

Questions

For questions or suggestions about this policy, contact us at security@saporo.io.