Responsible Disclosure Policy

At SAFA Team, we may identify security vulnerabilities in third-party vendors' systems, applications, or services and wish to report them responsibly on behalf of security researchers. This Responsible Disclosure Policy outlines the guidelines and procedures for SAFA Team to report security vulnerabilities discovered by us to vendors or third parties.

Reporting a Vulnerability

When reporting vulnerabilities we will contact the product owner or the affected third-party vendor or an associated security rewards program (hereinafter responsible party), whichever is identified to be responsible for coordinated disclosure. In our communication, we will provide the following information:

1. A summary of the vulnerability.

2. Detailed steps to reproduce the vulnerability.

3. Supporting evidence, such as screenshots, logs, or proof-of-concept code.

Response

We will monitor the vendor or third party's response and acknowledge any communication received from them. We will also maintain ongoing communication with the researcher(s) who identified the vulnerability.

Disclosure Timeline

Our commitment to responsible disclosure extends to our reporting of vulnerabilities to third-party vendors and third parties. The disclosure timeline in these cases is as follows:

Our policy is aligned with industry best practices and responsible disclosure guidelines. If a vendor does not respond to our disclosure within 120 days and after three follow-up attempts, we reserve the right to publish information about the vulnerability, with prior final notice to the vendor.

If the vendor fails to respond within 30 days to initial communication after 3 repeated attempts we proceed with the disclosure.

If the vendor declares the bug as a non-issue/no impact/won't fix/non-security bug we will proceed with the disclosure on our own discretion. If the vulnerability is publicly exploited or becomes public knowledge we might publish at our own discretion. This is especially important if someone publishes the same bug while we are in the disclosure process, in that case we don't want to wait another ~120 days.

Communication: Throughout the disclosure process, we will maintain communication with the vendor and the security researcher(s) who identified the vulnerability, providing updates on the progress and resolution efforts.

Legal Protections

Our policy is aligned with industry best practices and responsible disclosure guidelines. We will withhold public disclosure for 120 days after initial submission to leave sufficient time to distribute patches to the public. In special cases, upon the request of the responsible party accompanied by a reasonable explanation, we might extend this embargo period. Once the responsible party publishes the patch or vulnerability details we proceed with the disclosure regardless of the time frame. We will disclose vulnerability details at our own discretion, without further coordination in the following cases:

When the responsible party fails to respond to our initial submission within 14 days and three follow-up attempts

When the responsible party chooses not to fix the vulnerability, unable to fix the vulnerability, declares it out of scope or without security impact

When the vulnerability is actively exploited in the wild, or its details are published by other means

In any case we will inform the responsible party of the disclosure 48 hours in advance.

Contact Information

If you have any questions or concerns regarding SAFA Teams's Responsible Disclosure Policy for reporting vulnerabilities to third-party vendors or third parties, please contact us at hello@safateam.com.