Security Vulnerability Disclosure Policy

SrinTech considers the security of our systems and data a top priority. This policy outlines our approach to security vulnerability disclosure and provides guidelines for security researchers.

1. Responsible Disclosure Guidelines

We require that all researchers:

• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data
• Use only the designated communication channels to report vulnerability information
• Keep information about any vulnerabilities you've discovered confidential until we have resolved the issue
• Do not perform any attack that could harm the reliability/integrity of our services or data

2. Reporting Vulnerabilities

Include in your report:

1. Detailed description of the vulnerability
2. Steps to reproduce the issue (proof-of-concept scripts or screenshots)
3. Impact assessment of the vulnerability
4. Your contact information

3. Our Commitment

• 72h Response to initial vulnerability reports
• 5d Triage assessment completion
• 30d Regular status updates throughout remediation
• 90d Target resolution time for critical vulnerabilities
• Public acknowledgement in our Security Hall of Fame (with permission)

4. Safe Harbor Terms

Security researchers acting in good faith and in accordance with this policy can expect:

• No legal action or suspension of accounts related to research activities
• Protection of researcher identity (unless public acknowledgement requested)
• Coordination on public disclosure timelines
• Gratitude for helping protect our users and systems

5. Out-of-Scope Vulnerabilities

The following are generally not eligible for reward:

• Denial of Service (DoS/DDoS) vulnerabilities
• Social engineering attacks
• Physical security assessments
• Third-party service vulnerabilities (unless directly exploitable via SrinTech)
• Automated scanner reports without proof-of-concept

Policy Version: 2.1 | Last Updated: August 8, 2025