Responsible Disclosure Policy

We welcome security researchers to help us maintain the highest security standards for telecommunications infrastructure

Bug Bounty Program
24h Response Time
Rewards Program
Competitive bounties for valid security findings
Critical:$5,000 - $25,000
High:$1,000 - $5,000
Medium:$250 - $1,000
Low:$50 - $250
Response Timeline
Our commitment to timely responses
Initial response: 24 hours
Triage: 72 hours
Resolution: 30-90 days
Disclosure: Coordinated
Hall of Fame
Recognition for security researchers

• Public recognition on our website

• CVE credit attribution

• Conference speaking opportunities

• Exclusive researcher swag

Scope & Guidelines

In Scope

Primary Targets

  • • cves.telco-sec.com (main application)
  • • api.telco-sec.com (API endpoints)
  • • admin.telco-sec.com (admin panel)
  • • Mobile applications (iOS/Android)

Vulnerability Types

  • • Authentication/Authorization flaws
  • • SQL injection and NoSQL injection
  • • Cross-site scripting (XSS)
  • • Server-side request forgery (SSRF)
  • • Remote code execution (RCE)
  • • Business logic vulnerabilities
  • • Privilege escalation
  • • Data exposure/leakage
Out of Scope

Excluded Targets

  • • Third-party services and integrations
  • • Social engineering attacks
  • • Physical security testing
  • • Denial of service (DoS/DDoS)

Low Priority Issues

  • • Missing security headers (without impact)
  • • SSL/TLS configuration issues
  • • Clickjacking (without sensitive actions)
  • • Information disclosure (non-sensitive)
  • • Rate limiting issues
  • • CSRF on logout/non-sensitive actions

How to Report

Reporting Channels

Email (Preferred)

Send detailed reports to our security team:

security@telco-sec.com

Use our PGP key for sensitive information: Download Key

Secure Form

Use our encrypted reporting form for anonymous submissions:

Report Requirements

Required Information

  • • Detailed vulnerability description
  • • Step-by-step reproduction steps
  • • Proof of concept (PoC) code/screenshots
  • • Impact assessment
  • • Affected URLs/endpoints
  • • Browser/environment details

Best Practices

  • • Use test accounts when possible
  • • Minimize data access/modification
  • • Provide clear, reproducible steps
  • • Include relevant logs/evidence
  • • Suggest remediation if possible

Rules & Legal Safe Harbor

Allowed Activities

  • • Automated scanning with reasonable rate limits
  • • Manual testing of application functionality
  • • Social engineering of test accounts only
  • • Testing with your own accounts/data
  • • Responsible disclosure coordination

Prohibited Activities

  • • Accessing other users' data without permission
  • • Modifying or deleting data
  • • Disrupting service availability
  • • Social engineering of employees/users
  • • Physical attacks on infrastructure
  • • Public disclosure before coordination

Legal Safe Harbor

We commit to not pursue legal action against researchers who follow this policy and report vulnerabilities in good faith. This includes protection under applicable laws and regulations for security research activities conducted within these guidelines.

Security Researchers Hall of Fame

We recognize and thank the following security researchers for their responsible disclosure of vulnerabilities:

Alex Chen

Critical RCE Discovery

$15,000

Maria Rodriguez

Authentication Bypass

$8,500

David Kim

SQL Injection Chain

$5,200

Want to join our Hall of Fame? Start by reviewing our scope and submitting your first report!

Questions about our Responsible Disclosure Policy?

Contact Security TeamView Security Policy

Last updated: January 2025 | Policy Version 3.2