Security Reporting Guidelines

Introduction

At Soundreef, we take the security of our systems and our users’ data very seriously.
We value the contributions of security researchers who help us identify and mitigate vulnerabilities in a responsible manner.

This policy outlines how to report security issues to us, what you can expect in return, and our guidelines for responsible disclosure.

Reporting a Vulnerability

If you discover a security vulnerability in any Soundreef service, please contact us at:

[email protected]

When reporting, please include:

  • A clear description of the issue.
  • Steps to reproduce the vulnerability.
  • Any potential impact or risk.
  • (Optional) Suggestions for remediation.

Our Commitment

  • We will acknowledge receipt of your report within 48 hours.
  • We will provide regular updates as we investigate and fix the issue.
  • We will notify you once the vulnerability has been resolved.
  • We will not take legal action against researchers who adhere to this policy and act in good faith.

Recognition

At this time, we do not offer monetary rewards for vulnerability reports.
However, we do offer recognition in the following ways:

  • Public acknowledgment in our Security Hall of Fame (with your consent).
  • The opportunity to publish a technical write-up of your findings once the issue has been resolved (see “Publication of Write-ups”).
  • A formal letter of appreciation upon request.

Responsible Disclosure Guidelines

To protect our users and systems, we ask that you:

  • Do not exploit the vulnerability beyond what is necessary to demonstrate it.
  • Do not access, modify, or delete data that does not belong to you.
  • Do not publicly disclose details of the vulnerability until we have confirmed it has been resolved (see “Publication of Write-ups”).
  • Make a good-faith effort to avoid privacy violations, disruption of service, or degradation of our systems.

Publication of Write-ups

We support and encourage the publication of technical write-ups by security researchers who report vulnerabilities to us.
To protect our users, we ask that such publications follow these guidelines:

  • Write-ups may only be published after the vulnerability has been fully resolved in production.
  • We may request a short embargo period (e.g. 30–90 days after the fix) to ensure stability and protection for our users.
  • We kindly ask that researchers share a draft of their write-up with us prior to publication, so we can verify that no sensitive information (such as user data, credentials, or configuration secrets) is unintentionally disclosed.
  • We will gladly acknowledge and link to the write-up in our own Security Advisories or Hall of Fame, unless the researcher prefers to remain anonymous.

By adhering to these principles, researchers can responsibly share their work, contribute to the security community, and help improve Soundreef’s overall security posture.

Out of Scope

The following are generally not considered in scope for this policy:

  • Denial of Service (DoS/DDoS) attacks.
  • Spam or social engineering.
  • Vulnerabilities in third-party services not operated by Soundreef.
  • Reports that are not reproducible.

Thank You

We greatly appreciate your contributions in helping us maintain a secure environment for our users.