Security
Vulnerability Disclosure Policy
Safe-harbor style guidance for reporting Credensa security issues responsibly without harming users or systems.
Private first
Report vulnerabilities privately to credensainfo@gmail.com with enough detail to reproduce and verify.
Minimize harm
Do not access user data, disrupt service, persist access, or publicly disclose before remediation.
Good-faith handling
Credensa aims to review reports, prioritize real impact, remediate issues, and credit researchers where appropriate.
How to report
Include enough information for the team to validate the issue quickly.
- Affected URL, endpoint, account state, browser/device, and environment
- Clear reproduction steps and expected versus actual behavior
- Impact statement explaining what data or control is at risk
- Screenshots, request/response samples, or proof-of-concept with secrets and user data redacted
Safe-harbor expectations
Good-faith researchers should avoid harm and comply with this policy.
- Use only your own account and test data
- Stop testing immediately if you encounter private data or service instability
- Do not extort, demand payment, sell vulnerability details, or threaten disclosure
- Give Credensa reasonable time to investigate and remediate before public discussion
Not allowed
Testing that harms users, vendors, or the platform is prohibited.
- Denial-of-service, spam, phishing, malware, credential stuffing, destructive testing, or social engineering
- Accessing, changing, deleting, exporting, or exposing data that is not yours
- Persistence, lateral movement, bypassing payment controls for benefit, or attacking vendors
- Publishing exploit details, secrets, or user data before coordinated remediation
Response process
Credensa should triage reports by reproducibility, severity, exploitability, and user impact.
- Acknowledgment target: as soon as practical
- Triage: validate scope, impact, affected systems, and required containment
- Remediation: patch, monitor, notify affected parties where required, and document root cause
- Credit: optional acknowledgment may be offered for valid good-faith reports
Send a private report
Use email for vulnerability reports. Include reproduction details and avoid sensitive data.