Vulnerability Disclosure Policy 

Our Commitment 

We are committed to maintaining the security of our systems and protecting our customers’ information. We welcome reports from security researchers and members of the security community who identify potential vulnerabilities in our systems. 

If you believe you have discovered a security vulnerability, we encourage you to report it to us responsibly so that we can investigate and address it promptly. 

Reporting a Vulnerability 

Please send your report to: 

Email: soc@arimaclanka.com 

Please include, where possible: 

  • A description of the vulnerability. 
  • The affected application, service, or URL. 
  • Steps required to reproduce the issue. 
  • The potential impact. 
  • Proof of concept, screenshots, or other supporting information, where appropriate. 
  • Your contact information for follow-up questions. 

Our Commitment to You 

When you report a vulnerability in accordance with this policy, we will: 

  • Acknowledge receipt of your report as soon as reasonably possible. 
  • Review and validate the reported issue. 
  • Keep you informed of the progress of our investigation where appropriate. 
  • Work to remediate confirmed vulnerabilities within a reasonable timeframe based on severity and operational considerations. 

Guidelines for Security Research 

We ask that you: 

  • Act in good faith and avoid actions that could harm our customers, employees, or services. 
  • Only access information necessary to demonstrate the vulnerability. 
  • Do not modify, destroy, or retain data that does not belong to you. 
  • Do not interrupt or degrade our services. 
  • Do not exploit a vulnerability beyond what is reasonably necessary to confirm its existence. 
  • Do not publicly disclose the vulnerability. 

Out of Scope 

Unless expressly authorized in writing, the following activities are not permitted: 

  • Social engineering or phishing. 
  • Physical security testing. 
  • Denial-of-service (DoS or DDoS) testing. 
  • Spam or unsolicited communications. 
  • Attacks against third-party services that are not owned or operated by our company. 

Safe Harbor 

We support and encourage security research conducted in good faith. 

If you act in good faith, comply with this Vulnerability Disclosure Policy, make every effort to avoid privacy violations, data destruction, service interruption, or disruption to our systems, and promptly report any vulnerabilities you discover, we will not pursue legal action against you solely for your vulnerability research and disclosure activities conducted under this policy. 

This safe harbor applies only to activities carried out in accordance with this policy and does not extend to actions that intentionally exploit vulnerabilities beyond what is reasonably necessary to demonstrate their existence, access or modify data without authorization, disrupt our services, or violate applicable laws or regulations. 

If there is any uncertainty regarding whether a particular activity is permitted under this policy, please contact us before proceeding. 

Bug Bounty 

At this time, we do not operate a bug bounty program and do not guarantee financial compensation for reported vulnerabilities. We greatly appreciate responsible disclosures that help us improve the security of our services. 

Questions 

For any questions regarding this policy or to report a security concern, please contact: 

soc@arimaclanka.com