Trust

Responsible disclosure

We encourage coordinated, responsible reporting of suspected vulnerabilities that could affect platform confidentiality, integrity, or availability. We do not run a bug bounty programme, but we do take every credible report seriously and will acknowledge researchers who identify and responsibly report confirmed issues.

Canonical artefact metadata

Owner
CyberSec Legal and Trust Office
Approver
CyberSec Executive Governance
Version
1.0.0
Last reviewed
2026-04-20
Next review due
2026-10-20

How to report

  • Primary intake: info@cybersec.co.za
  • Required subject line: Security Vulnerability Report.
  • Reports are triaged under coordinated-disclosure handling with a defined response timeline.
  • Please encrypt sensitive reports using our published PGP key if available at the reporting address.

What to include

  • Impacted endpoint, route, feature, or integration path.
  • Reproduction steps and required preconditions.
  • Observed behavior, expected secure behavior, and your assessment of impact.
  • Proof-of-concept artifacts — constructed to demonstrate the issue without accessing real customer data.

Testing scope

In-scope research covers platform features and API surfaces that can be positively tied to CyberSec Consultants and this platform. This includes:

  • Authentication and session management.
  • Tenant authorization and cross-tenant isolation.
  • API endpoints and their input validation behavior.
  • Report and board-pack generation and access control.
  • Integration connector authentication and data handling.

The following are out of scope and will not be accepted:

  • Volumetric denial-of-service or resource exhaustion attacks.
  • Social engineering or phishing of CyberSec Consultants staff.
  • Reports relying on physical access to infrastructure.
  • Issues in third-party services or dependencies not under our control.
  • Automated scanner output submitted without a demonstrated, specific impact.

Testing limits

Should your research give you access to another customer's data, or to CyberSec Consultants internal data, you must stop testing immediately and report the issue to us. Continuing to access data beyond what is needed to confirm the vulnerability moves your activity outside the safe harbour of security research and may have legal consequences.

Test only against accounts and tenants you own or have explicit written permission to test against.

Triage and response targets

  • Acknowledgment target: within 2 business days.
  • Initial severity assessment target: within 5 business days.
  • Remediation planning and coordinated disclosure timelines vary by verified severity.
  • Where a confirmed issue could affect other customers, we will notify impacted tenants as part of our incident process.

Safe harbor

Good-faith research that avoids privacy violations, service disruption, and data destruction, that stays within testing scope, respects testing limits, and follows this policy, will be treated as authorized security testing under coordinated disclosure principles. We will not pursue legal action against researchers acting in good faith under these terms.

Was this page helpful?

Trust and legal

Trust and legal baselinePrivacy notice (POPIA)PAIA manualCookie and tracking noticeWebsite termsSecurity testing authorizationPlatform termsResponsible disclosure