At Spartans Security, safeguarding the integrity of our infrastructure, services, and products is a core priority. We are dedicated to protecting our clients and users by ensuring that security vulnerabilities are reported responsibly and addressed in a timely manner. This page outlines our approach to vulnerability reporting, acknowledgment, and remediation. Through continuous research and proactive monitoring, we respond to security threats and have published multiple CVEs as part of our ongoing commitment to the broader cybersecurity and business community.
Vulnerabilities in software, services, and infrastructure owned and managed by Spartans Security, and vulnerabilities researched and found by Spartans Security in third party products that are not part of another CNA's scope.
Spartans Security values responsible disclosure and invites researchers, partners, and customers to report any identified vulnerabilities through our official channel.
• Email: Send your findings to vulnerability@spartanssec.com with a subject line containing “Vulnerability Report”.
Required Information in the report:
We request reporters to provide the following information in the report for a seamless process.
• Include the affected product name, version, vendor (if known), and details about the impacted service or infrastructure.
• Detailed description of the vulnerability.
• Clear, step-by-step instructions to replicate the issue.
• Proof of concept (POC).
• Remediation steps to fix the vulnerability.
• Any potential risk or impact of the vulnerability.
Once we receive your vulnerability report, we will:
• Acknowledge your submission within five business days.
• Conduct a thorough investigation to evaluate the severity of the issue.
• Keep you informed regularly about the status of our analysis and the steps taken to fix it.
• Collaborate on a coordinated public disclosure after the vulnerability has been addressed.
We commit to:
• Provide timely and responsible responses.
• Update you regularly on the progress and expected timelines for remediation.
• Collaborate closely with you to thoroughly understand and fix the issue.
• Acknowledge your contribution (with your consent) once the vulnerability is resolved.
• Assign you a CVE where findings meet the eligibility.
We follow a coordinated disclosure timeline:
• Initial Acknowledgment: We will respond to your report within five business days.
• Evaluation: The vulnerability will be analyzed and assigned a severity level based on the CVSS framework.
• Remediation: For high-severity vulnerabilities, we aim to provide a patch within 90 days. In cases of critical issues, an urgent fix may be issued more quickly
• Public Disclosure: After the solution is implemented and confirmed, we will work together with you to plan the public disclosure.
Details about the vulnerability will be made public only after:
• A patch or fix has been developed and rolled out.
• Customers have been given adequate time to implement the update.
Security advisories will be posted on the Spartans Security Blog.
As an authorized CVE Numbering Authority (CNA), we assign CVE identifiers to confirmed eligible vulnerabilities. Researchers who report valid issues will be acknowledged as the submitter, unless anonymity is requested by the researcher.
These types of issues typically pose limited immediate risk but should still be addressed as part of overall security hygiene:
• Session Identifier in URL – Session tokens passed via URL can be exposed in browser history, logs, or referrer headers.
• Clickjacking or UI Redressing – Due to the absence of proper frame restrictions.
• Unencrypted Data Transmission – Use of plain HTTP instead of HTTPS for sensitive data exchange.
• Application or Server Fingerprinting – Unnecessary disclosure of software version details through headers or error messages.
• Weak or Misconfigured SSL/TLS Implementations – Including outdated ciphers, invalid certificates, or susceptibility to known attacks like BREACH.
• Missing or Misconfigured Security Headers – Such as X-Frame-Options, Strict-Transport-Security, X- Content-Type-Options, etc.
• Cookie Misconfigurations – Including cookies lacking the HttpOnly, Secure, or SameSite attributes.
• Cross-Origin Resource Sharing (CORS) Misconfigurations – Overly permissive CORS policies that allow unauthorized domains.
• Lack of a Content Security Policy (CSP) – Increasing the risk of XSS or content injection attacks.
• Auto-fill Enabled on Password Fields – Allowing browsers to store credentials in potentially insecure ways.
• Disclosure of Public or Non-sensitive Information – Such as application paths, internal IP ranges, or user enumeration without critical impact
To ensure responsible testing and protect our systems and users, the following actions are not allowed under our security testing or vulnerability disclosure guidelines:
• Human-targeted manipulation (Social Engineering) – This includes phishing, impersonation, or any social engineering techniques.
• Physical intrusion or tampering – Gaining access to offices, devices, or hardware is strictly prohibited.
• Issues in unrelated third-party software – Unless they have a direct and verifiable impact on our platform.
• Service disruption tests – Denial of Service (DoS), brute-force attacks, or other activities that degrade system performance, unless part of a broader exploitable issue.
• Unauthorized access to internal systems – Testing should be limited to publicly exposed assets; any attempt to compromise internal networks is out of bounds.
• Use or distribution of malicious software – This includes uploading or linking to viruses, trojans, or any form of malware.
• Data tampering – Modifying, deleting, or corrupting information is not permitted under any circumstance.
• Unauthorized access to confidential data – Including attempts to extract, download, or leak sensitive information.
• Illegal activity or violations of terms of service – Any action that contravenes laws or user agreements is strictly off-limits.
We value the contributions of the security research community and are committed to creating a safe space for responsible disclosures.
• We encourage ethical security testing and responsible reporting practices that align with industry standards.
• Legal action will not be pursued against individuals who identify and report vulnerabilities in good faith, following our guidelines
For inquiries related to this policy or to submit a potential security issue, please email: vulnerability@spartanssec.com
Responsible reporting helps maintain a safer and more secure experience for all users. Your efforts are sincerely appreciated.
