Reporting a Security Vulnerability

Responsible Disclosure

If you discover a security vulnerability in Server Scout, we appreciate your responsible disclosure and ask that you report it directly to our team rather than publicly disclosing the issue. This allows us to investigate, fix the vulnerability, and protect our users before any potential exploitation.

Security vulnerabilities should be reported through one of these channels:

• Support ticket: Create a high-priority support ticket at app.serverscout.ie with "Security Vulnerability" in the subject line
• Direct email: Contact our team directly at security@serverscout.ie

What to Include in Your Report

To help us understand and address the vulnerability effectively, please provide:

Detailed Description

• A clear explanation of the vulnerability
• The affected system, component, or feature
• The type of vulnerability (e.g., XSS, SQL injection, authentication bypass)

Steps to Reproduce

• Step-by-step instructions to reproduce the vulnerability
• Any specific conditions or configurations required
• Browser or system requirements if relevant

Potential Impact

• Your assessment of the severity and potential consequences
• What data or systems could be affected
• Whether the vulnerability could be exploited remotely

Supporting Evidence

• Proof-of-concept code (if applicable)
• Screenshots demonstrating the vulnerability
• Request/response logs or other technical evidence
• Any additional documentation that supports your findings

What NOT to Do

While we encourage security research, please observe these important guidelines:

• Do not publicly disclose the vulnerability before our team has had a chance to investigate and implement a fix
• Do not attempt to access other customers' data or accounts during your testing
• Do not disrupt our service or perform actions that could impact other users
• Do not perform extensive automated scanning that could degrade system performance
• Do not social engineer our staff or attempt to gain unauthorised access to our systems

Our Response Process

We take security reports seriously and handle them with priority:

Initial Acknowledgement Our team will acknowledge your report within 48 hours on business days (Monday to Friday, Irish timezone GMT/IST). You'll receive confirmation that we've received your report and begun our investigation.

Investigation Timeline We aim to provide an initial assessment within 5 business days, including:

• Confirmation of whether the reported issue constitutes a security vulnerability
• Our preliminary assessment of severity and impact
• An estimated timeline for resolution

Regular Updates Throughout the investigation and remediation process, we'll provide regular updates on our progress and expected resolution timeline.

Resolution and Disclosure Timeline

Remediation We aim to resolve confirmed security vulnerabilities promptly:

• Critical vulnerabilities: within 7 days
• High severity vulnerabilities: within 14 days
• Medium/Low severity vulnerabilities: within 30 days

Coordinated Disclosure We'll work with you to coordinate appropriate disclosure timing. This typically occurs after:

• The vulnerability has been fully resolved
• Adequate time has passed for users to receive updates
• We've completed our internal security review

We believe in transparency and will publish security advisories for significant vulnerabilities once they've been resolved.

Recognition and Credits

We value the security research community's contributions to keeping Server Scout secure:

• Credit: Reporters of valid security vulnerabilities will be credited for their discovery in our security advisories (if desired)
• Hall of Fame: We maintain a security researchers hall of fame on our website
• References: We're happy to provide references for responsible disclosure practices for your portfolio

Please note: We currently don't offer a paid bug bounty programme, but we deeply appreciate and recognise researchers who help improve our security posture.

Questions About Security

If you have questions about our security practices or responsible disclosure process, please contact our team through the usual support channels. We're committed to maintaining the highest security standards and appreciate your help in achieving this goal.