Vulnerability Disclosure Policy

Responsible Security Research and Disclosure

Effective Date: August 15, 2025
Last Updated: August 15, 2025

Introduction

ElasticScale BV is committed to ensuring the security of our platform, services, and customer data. We believe that working with security researchers and the broader security community is crucial to achieving this goal. This Vulnerability Disclosure Policy outlines how security researchers can responsibly report potential security vulnerabilities in our systems.

We welcome and encourage responsible security research of our services, including our website, ES Foundation platform, ES Portal, and related infrastructure. We are committed to working with researchers to verify, reproduce, and respond to legitimate reported vulnerabilities.

This policy is designed to give security researchers clear guidelines for conducting vulnerability research and reporting their findings to us in a responsible manner.

Scope

This policy applies to vulnerabilities discovered in the following ElasticScale systems and services:

In Scope

• Primary Domain: elasticscale.com and all subdomains
• ES Foundation Platform: Our managed AWS infrastructure platform
• ES Portal: Customer dashboard and management interface
• API Endpoints: All ElasticScale API services
• Customer-Facing Applications: Any application or service directly provided by ElasticScale
• Infrastructure Components: Systems directly controlled and operated by ElasticScale

Examples of Vulnerabilities We're Interested In

• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Server-side injection vulnerabilities (SQL injection, command injection, etc.)
• Authentication and authorization flaws
• Information disclosure vulnerabilities
• Remote code execution
• Privilege escalation
• Cryptographic vulnerabilities
• Business logic flaws that could lead to security issues
• Infrastructure misconfigurations with security implications

Reporting Guidelines

How to Report

Send your vulnerability report to: [email protected]

What to Include in Your Report

To help us understand and reproduce the issue quickly, please include:

1. Summary: A brief description of the vulnerability
2. Affected Systems: Which systems, applications, or services are affected
3. Vulnerability Details:
   • Type of vulnerability (e.g., XSS, SQL injection)
   • Location (URL, parameter, etc.)
   • Potential impact
4. Reproduction Steps: Clear, step-by-step instructions to reproduce the issue
5. Proof of Concept: Screenshots, videos, or code that demonstrates the vulnerability
6. Severity Assessment: Your assessment of the potential impact and severity
7. Remediation Suggestions: If you have suggestions for fixing the issue
8. Your Contact Information: How we can reach you for follow-up questions

Report Quality

High-quality reports should:

• Be clearly written and easy to understand
• Include sufficient technical detail for reproduction
• Demonstrate a clear security impact
• Provide actionable information for remediation

What We Ask From You

To ensure responsible disclosure and maintain the security of our systems and customers, we ask that you:

Research Conduct

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
• Only interact with accounts you own or with explicit permission from the account holder
• Do not access, modify, or delete data belonging to other users
• Do not perform actions that could negatively affect our customers or users
• Limit your testing to the minimum necessary to demonstrate the vulnerability

Disclosure Guidelines

• Report vulnerabilities as soon as possible after discovery
• Do not publicly disclose the vulnerability until we have had sufficient time to address it
• Do not share or discuss the vulnerability with others until public disclosure
• Make a reasonable effort to comply with this policy before testing

Communication

• Respond promptly to our requests for additional information or clarification
• Be patient during our investigation and remediation process
• Communicate through official channels ([email protected])

What You Can Expect From Us

Our Commitment

We are committed to:

• Acknowledge receipt of your vulnerability report within 2 business days
• Provide regular updates on our progress addressing the vulnerability
• Work with you to understand and reproduce the issue
• Treat your report confidentially and not share your personal information without permission
• Recognize your contribution to improving our security (with your permission)
• Not pursue legal action against researchers who comply with this policy

Response Timeline

• Initial Response: Within 2 business days
• Status Updates: At least every 5 business days during active investigation
• Resolution Timeline: Varies based on severity and complexity, typically 30-90 days
• Disclosure Coordination: We will work with you to coordinate public disclosure timing

Communication Standards

We will:

• Communicate in English or Dutch
• Provide clear and professional responses
• Respect your preferred communication methods
• Keep you informed of any changes to timelines or remediation plans

Disclosure Timeline

Our Process

1. Receipt and Acknowledgment (0-2 days)
   • Acknowledge receipt of your report
   • Assign a tracking identifier
   • Conduct initial assessment
2. Investigation and Validation (3-14 days)
   • Reproduce the vulnerability
   • Assess impact and severity
   • Determine remediation approach
3. Remediation (15-90 days, depending on complexity)
   • Develop and test fixes
   • Deploy security updates
   • Verify vulnerability resolution
4. Coordinated Disclosure (90+ days or after remediation)
   • Coordinate disclosure timeline with reporter
   • Prepare public advisories if necessary
   • Recognize contributor (with permission)

Public Disclosure

We prefer coordinated disclosure and will work with you to:

• Ensure adequate time for remediation before public disclosure
• Provide advance notice of our intended disclosure timeline
• Recognize your contribution in any public advisories
• Respect your preferences regarding public attribution

Recognition

Hall of Fame

We maintain a security researchers hall of fame to recognize individuals who have helped improve our security. With your permission, we will include:

• Your name or handle
• The date of the report
• A brief description of the vulnerability type

Public Recognition

For significant vulnerabilities, we may:

• Publicly acknowledge your contribution in security advisories
• Mention your research in blog posts or presentations
• Provide professional references or recommendations

Recognition Criteria

We recognize researchers who:

• Report legitimate security vulnerabilities
• Follow responsible disclosure practices
• Provide high-quality, actionable reports
• Demonstrate professionalism throughout the process

Note: We do not currently offer monetary bounties, but we greatly value the contributions of security researchers.

Legal Safe Harbor

ElasticScale will not pursue legal action against researchers who:

• Comply with this policy and conduct research in good faith
• Make a reasonable effort to avoid impacting other users and services
• Report vulnerabilities promptly and cooperate with our remediation efforts
• Do not violate any applicable laws or regulations during their research

Protection Scope

This safe harbor covers:

• Security research activities conducted in accordance with this policy
• Reporting of vulnerabilities through official channels
• Good faith cooperation during the remediation process

Limitations

This safe harbor does not protect:

• Violations of applicable laws or regulations
• Research conducted outside the scope of this policy
• Malicious activities or attacks against our systems
• Unauthorized access to customer data or systems

Out of Scope

The following are considered out of scope for this program:

Technical Exclusions

• Denial of Service (DoS/DDoS) attacks
• Physical security issues at ElasticScale facilities
• Social engineering attacks against ElasticScale employees
• Spam or email delivery issues
• Missing security headers without demonstrated impact
• Self-XSS that cannot be used to attack other users
• Issues requiring significant user interaction or social engineering

Third-Party Services

• Customer AWS accounts or infrastructure managed by customers
• Third-party services integrated with ElasticScale (unless the vulnerability is in our integration)
• Open source projects we use (please report these to the project maintainers)

Business Logic

• Issues that require admin/privileged access to exploit
• Rate limiting bypasses without security impact
• Minor configuration issues without security implications

Previously Known Issues

• Vulnerabilities we're already aware of and working to fix
• Issues already reported by other researchers
• Known limitations documented in our security documentation

Contact Information

Vulnerability Reports

Primary Contact: [email protected]

General Security Questions

For general security questions or concerns that are not vulnerability reports: Email: [email protected]

Company Information

ElasticScale BV
Jelmersmeer 9
8448RR Heerenveen, Netherlands
Chamber of Commerce: 72064889

Response Languages

We can respond in English or Dutch.

Policy Updates

This vulnerability disclosure policy may be updated from time to time to reflect changes in our processes, legal requirements, or industry best practices. We will notify the security community of any significant changes through:

• Updates to this policy on our website
• Announcements through relevant security channels
• Direct communication with active researchers

The latest version of this policy will always be available at: https://elasticscale.com/vulnerability-disclosure

We thank the security research community for helping us maintain the security and integrity of our platform and services. Your contributions are essential to protecting our customers and the broader community.

Last Updated: August 15, 2025