Vulnerability Disclosure Policy

1. Our Commitment

Security is a core priority at SPEKMI. We are committed to:

• Investigating all legitimate security reports in a timely manner
• Working with security researchers to understand and validate reported issues
• Implementing appropriate fixes and mitigations
• Keeping reporters informed of our progress
• Recognizing the contributions of security researchers who help us improve

2. Scope

In Scope

The following assets and services are covered by this policy:

• spekmi.com - Main website
• app.spekmi.com - Application platform
• api.spekmi.com - API endpoints
• SPEKMI mobile applications (if applicable)

Out of Scope

The following are explicitly out of scope:

• Third-party services and websites (including our hosting provider)
• Social engineering attacks (phishing, vishing, etc.)
• Physical security attacks
• Denial of Service (DoS/DDoS) attacks
• Attacks requiring physical access to a user's device
• Attacks on users' browsers or devices
• Vulnerabilities in outdated browsers or plugins
• Spam or social engineering techniques
• Email spoofing and related email configuration issues (SPF/DKIM/DMARC)

3. How to Report a Vulnerability

If you believe you have discovered a security vulnerability, please report it to us by email:

What to Include

Please include the following information in your report:

• Description: A clear description of the vulnerability
• Steps to Reproduce: Detailed steps to reproduce the issue
• Affected Assets: URL(s) or component(s) affected
• Impact Assessment: Your assessment of the potential impact
• Proof of Concept: Screenshots, videos, or code snippets (if applicable)
• Suggested Fix: If you have recommendations for remediation

Preferred Languages

We accept vulnerability reports in English or French.

4. Our Promise to Researchers

When you report a vulnerability to us in good faith, we commit to:

5. Guidelines for Researchers

To ensure your research is conducted responsibly and within legal boundaries, please follow these guidelines:

6. Privacy

When you submit a vulnerability report, we will collect and process your personal data (such as your name, email address, and any other information you provide) to:

• Communicate with you about your report
• Investigate and remediate the reported vulnerability
• Credit you for your discovery (if you consent)

Your personal data will be processed in accordance with our Privacy Policy. We will not share your personal information with third parties without your consent, except as required by law.

7. Legal Safe Harbor

If you conduct security research in good faith and in accordance with this policy, we consider your research to be:

• Authorized concerning any applicable anti-hacking laws
• Authorized concerning any relevant anti-circumvention laws
• Exempt from restrictions in our Terms of Service that would otherwise prohibit security testing

We will not initiate legal action against you or report you to law enforcement for security research conducted in compliance with this policy.

8. Contact

For security-related inquiries or to report a vulnerability: