Sign in Request demo

Responsible security

Vulnerability Disclosure Policy

eMate Cloud runs a multi-tenant email-security SaaS. Reporting a vulnerability responsibly helps us protect every customer — thank you.

How to report

Email: [email protected]

PGP: Public key available on request.

RFC 9116: /.well-known/security.txt

Please include:

  • A clear description of the issue and the impact you observed
  • Steps to reproduce (PoC, screenshots, request/response captures)
  • The affected URL / endpoint / service / git ref
  • Your name or handle (optional, for Hall of Fame credit)

Do not open a public GitHub issue for security reports.

Service-level commitments

Step Target
Acknowledgement (human reply) 48 business hours
Initial assessment + severity 14 calendar days
Critical-severity remediation 90 calendar days
Non-critical remediation 180 calendar days
Public disclosure window 90 days (standard)

For unresponsive reports beyond 14 days, escalate to [email protected].

Scope

In-scope

  • *.emate.cloud (production websites, dashboard, API)
  • platform.emate.cloud SaaS dashboard and REST API
  • Container images shipped from services/* Dockerfiles
  • Build / deploy automation under .github/workflows
  • DNS records, ACM certificates, CloudFront/S3 distributions we control

Out-of-scope

  • Findings that require physical access, social engineering, or insider abuse
  • Denial-of-service requiring sustained high traffic or paid infrastructure
  • Brute-force / credential stuffing without showing an actual access vector
  • Self-XSS, CSRF on logout / static endpoints, and other low-impact issues
  • Phishing simulations targeting customers, partners, or staff
  • Scanning customer tenants' DNS records or RUA endpoints
  • Vulnerabilities in third-party services we integrate with (AWS, Cloudflare, SendGrid, Anthropic). Report those to the vendor and copy us if useful.

Safe-harbor

If you act in good faith, follow this policy, and avoid violating user privacy or destroying data, eMate Cloud:

  • Will not pursue or support legal action against you
  • Will work with you to understand and resolve the issue quickly
  • Will publicly credit you (opt-in) in our Hall of Fame
  • Considers your activity authorised under CFAA, NIS2 art 6, AR Ley 26.388 and equivalent regional frameworks

This safe-harbor does not authorise testing third-party services, exfiltrating live customer data, or making any change visible to other tenants.

Bounty

We do not yet offer a public bug-bounty programme. Selected researchers may be invited to our private HackerOne programme (timing on our internal roadmap).

Supported versions

  • Active: main branch + current prod tag (v3.36+)
  • Best-effort: tags older than 90 days (critical only)
  • Unsupported: forks or mirrors (merge upstream)

Trust + compliance

  • ISO 27001 Phase 2 ✓
  • SOC 2 Type II readiness in progress (target: May 2027)
  • Public compliance posture: COMPLIANCE.md on GitHub

Last updated: 2026-06-02