At Spartans Security, we take the security of our infrastructure, products, and services very seriously. Protecting our clients and users, and ensuring that vulnerabilities are responsibly disclosed and addressed is of utmost importance to us. This page outlines our policies and processes for reporting, acknowledging, and mitigating security vulnerabilities.
This policy applies to any vulnerability affecting:
• Software products: Applications, tools, and libraries.
• Infrastructure: Websites and systems services, such as Cloud-based or hosted services.
• Infrastructure: Websites and systems accessible to customers or partners.
If you identify a vulnerability within these products or services, we encourage you to follow the responsible disclosure guidelines outlined below.
Please note that there is no reward scheme for discovering a vulnerability.
We encourage security researchers, partners, and customers to report any vulnerabilities they find.
How to Report:
• Email: Send your findings to vulnerability@spartansseccom with a subject line containing “Vulnerability Disclosure”.
Required Information:
• Affected product, service, or infrastructure.
• Detailed description of the vulnerability.
• Steps to reproduce the issue.
• Proof of concept (if applicable).
• Recommended remediation.
• Any potential impact of the vulnerability.
Upon receiving your vulnerability report, we will:
• Acknowledge your submission within 5 business days.
• Investigate the issue and assess its severity.
• Provide regular updates on the progress of the investigation and remediation.
• Coordinate a public disclosure once the issue has been resolved.
We commit to:
• Respond promptly and responsibly.
• Work with you to understand the issue fully and resolve it.
• Credit you (with your permission) for the discovery once the vulnerability is remediated.
• Keep you informed of remediation progress and timelines.
We follow a coordinated disclosure timeline:
• Initial Response: Within 5 business days.
• Assessment: We will evaluate the vulnerability and assign it a severity rating using CVSS.
• Resolution and Fix: Depending on the severity, our goal is to release a fix within 90 days for high-severity issues. Critical vulnerabilities may receive an emergency patch sooner.
• Public Disclosure: Once a fix is available and verified, we will coordinate with you on a public announcement.
We will publicly disclose the details of the vulnerability once:
• A fix is available and deployed.
• Sufficient time has been given to customers to apply the patch.
We will publish security advisories on the Spartans Security Threat Blog.
As a CVE Numbering Authority (CNA), we will assign a CVE ID to validated vulnerabilities. If you’re a researcher reporting a vulnerability, you will be credited for the CVE submission (unless you prefer anonymity).
• SSL/TLS-based vulnerabilities; for example: BREACH attack, or invalid SSL certificate.
• Missing security headers.
• Fingerprinting/Banner disclosures.
• Content Spoofing.
• Information disclosure of non-confidential information.
• Password AutoComplete Enabled.
• Insecure HTTP Transport.
• TLS Cookie Without HTTP Only Flag Set.
• Content Security Policy (CSP).
• Insecure Frame.
The following are considered out-of-scope:
• Social engineering attacks (phishing).
• Physical attacks on infrastructure or devices.
• Vulnerabilities in third-party libraries unless they directly affect our products.
• Denial of Service (DoS) attacks unless they expose a broader security flaw (this includes brute forcing).
• Any breach of the Internal network or services.
• Posting, transmitting, uploading, linking to, or sending any malware.
• Attempts to modify or destroy data.
• Attempts to extract or exfiltrate sensitive data.
• Any other action that is unlawful or contrary to legally enforceable terms and conditions for using a product or service.
We value the contributions of security researchers and commit to:
• No legal action against researchers who report vulnerabilities responsibly.
• Encouraging adherence to ethical research and responsible disclosure guidelines.
For any questions regarding this policy or to submit a report:
Email: vulnerability@spartanssec.com
We appreciate your efforts in helping us maintain a secure environment for all users.
