Vulnerability Disclosure Policy
How to responsibly report security vulnerabilities to ScaleAPIs.
How to responsibly report security vulnerabilities to ScaleAPIs.
Table of Contents
Scope
Scale APIs welcomes good-faith security research that helps identify and report potential vulnerabilities affecting the ScaleAPIs website, platform, APIs, and related services.
This policy explains how to report suspected vulnerabilities responsibly and the boundaries that apply to security testing involving Scale APIs systems and services.
How To Report A Vulnerability
Please send security reports to:
security@scaleapis.com
Backup contact:
support@scaleapis.com
To help Scale APIs investigate efficiently, please include as much relevant information as possible, such as:
a description of the issue
the affected service, URL, endpoint, or feature
steps to reproduce the issue
proof-of-concept details where appropriate
the potential impact you observed
any relevant request IDs, timestamps, screenshots, or logs
What To Expect
Scale APIs will generally acknowledge good-faith vulnerability reports within 3 business days.
Scale APIs will review reported issues and work toward validation, triage, and remediation using a best-effort process based on severity, exploitability, operational impact, and the complexity of the fix.
Scale APIs does not promise a specific remediation deadline for every report.
Good-Faith Research Expectations
Scale APIs supports good-faith research conducted in a way that avoids harm to customers, other users, third parties, and the platform.
When researching or reporting a potential issue, you should:
act in good faith
avoid privacy harm, service disruption, and data destruction
stop testing once you confirm the issue and report it promptly
avoid accessing, modifying, retaining, or disclosing data that is not your own except to the minimum extent necessary to demonstrate the issue
give Scale APIs a reasonable opportunity to investigate and address the issue before making it public
Out-Of-Scope Or Prohibited Activity
This policy does not authorize or permit:
denial-of-service, load, or stress testing
social engineering, phishing, or impersonation
physical attacks or attempts to gain physical access
spam or abuse of support, billing, login, or notification systems
privacy-invasive testing, including unnecessary access to data belonging to other users
use of malware, destructive payloads, or persistence mechanisms
attempts to exploit vulnerabilities in third-party services beyond what is necessary to demonstrate an issue affecting Scale APIs
unlawful activity of any kind
This policy also does not authorize bypassing customer, user, or third-party rights, or continuing testing after being asked to stop.
Limited Safe Harbor
If you act in good faith, follow this policy, avoid prohibited activity, avoid intentionally harming others, and report the issue promptly to Scale APIs, Scale APIs will not consider your research to be unauthorized under this policy.
This statement is limited to the conduct described in this policy and does not bind third parties or override applicable law.
Coordinated Disclosure
Scale APIs asks that you avoid public disclosure of a reported vulnerability until Scale APIs has had a reasonable opportunity to investigate and address the issue.
If coordinated disclosure becomes appropriate, Scale APIs will work in good faith toward a reasonable disclosure timeline based on the nature and severity of the issue.
No Bug Bounty Promise
Scale APIs does not promise monetary rewards, bounties, or public recognition for vulnerability reports unless Scale APIs expressly states otherwise in a separate written program.
Policy Updates
Scale APIs may update this Vulnerability Disclosure Policy from time to time. Updated versions will apply prospectively unless otherwise required by applicable law.
Questions about this document?
If you have questions about this policy, contact us at legal@scaleapis.com.
Contact Us