Responsible Disclosure

This Responsible Disclosure Policy explains how security researchers can report vulnerabilities affecting Skuntir-owned websites, systems, or services. We value good-faith research that helps us protect our clients, visitors, and infrastructure.

This policy applies only to assets owned or operated by Skuntir. Vulnerabilities in third-party products discovered during client engagements are handled under our Third-Party Vulnerability Disclosure Policy.

In-scope reports include vulnerabilities in:

• Public Skuntir websites and web applications
• Skuntir-owned APIs and supporting infrastructure
• Authentication, authorization, session handling, and access-control behavior
• Exposure of sensitive Skuntir data or secrets

Client systems, third-party platforms, social media accounts, and infrastructure not owned by Skuntir are out of scope unless we explicitly publish otherwise.

We ask researchers to avoid actions that could harm users, degrade service, or access data beyond what is strictly necessary to prove a vulnerability.

• Do not perform denial-of-service, resource exhaustion, spam, or destructive testing
• Do not use social engineering, phishing, physical intrusion, or employee targeting
• Do not modify, delete, or exfiltrate data beyond minimal proof of impact
• Do not publicly disclose a vulnerability before we have had a reasonable opportunity to remediate it

Send reports to security@skuntir.com. Please include enough detail for us to reproduce and assess the issue.

We aim to acknowledge valid reports within 2 business days. We will investigate, prioritize based on impact, and keep the reporter informed when meaningful updates are available.

If a report is valid and submitted in good faith under this policy, we will not pursue legal action against the reporter for the research activity described in the report.