Purpose of Policy
At Comtract Communications, we are committed to maintaining the security and privacy of our systems and users. We value the contributions of the security research community and welcome reports of potential vulnerabilities.
Scope
This policy applies to all publicly accessible digital assets owned and operated by Comtract Communications, including web applications, APIs, and network infrastructure.
Guidelines for Responsible Disclosure
• Do not exploit the vulnerability beyond what is necessary to demonstrate it.
• Do not access, modify, or delete any data that does not belong to you.
• Avoid privacy violations, data destruction, and service disruption.
• Do not perform denial of service or social engineering attacks.
• Give us a reasonable time to investigate and remediate the issue before any public disclosure.
Reporting a Vulnerability
Please report security issues to: security@comtractcommunications.com
Include the following in your report:
• Description of the vulnerability
• Steps to reproduce the issue
• Any relevant screenshots, logs, or proof-of-concept code
• Your contact information (for follow-up)
• Access to secrets must be strictly controlled using RBAC and enforced with multi-factor authentication (MFA).
Our Commitment
• We will acknowledge receipt of your report within 48 hours.
• We will investigate the issue and provide status updates.
• We will notify you when the issue is resolved.
• We are open to crediting researchers for valid discoveries (upon request).
Safe Harbor
We consider vulnerability research conducted under this policy to be authorized. We will not pursue legal action against researchers who act in good faith and follow the guidelines provided herein. If legal action by a third party arises, we will take necessary steps to communicate that your activities were conducted in alignment with our Responsible Disclosure Policy.