Security

Responsible Disclosure Policy

A security company without a disclosure policy would be ironic.

We build our reputation on finding vulnerabilities in other people's systems. It would be hypocritical not to invite the security community to test ours. If you find something, we want to hear about it.

Scope

What Is in Scope

In Scope

  • *.sherlockforensics.com
  • *.sforensics.com
  • Web application vulnerabilities (XSS, CSRF, injection)
  • Authentication and authorization flaws
  • Server misconfiguration
  • Information disclosure
  • Security header issues

Out of Scope

  • Social engineering attacks against employees
  • Denial of service (DoS/DDoS) attacks
  • Spam or email flooding
  • Physical security testing
  • Attacks against third-party services we use
  • Clickjacking on pages with no sensitive actions
  • Findings from automated scanners without validated proof of concept

Reporting

How to Report a Vulnerability

Send your findings to security@sforensics.com

Please include:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • Proof of concept (screenshots, code snippets, HTTP requests)
  • The affected URL or endpoint
  • Your assessment of impact and severity
  • Your preferred contact method for follow-up

Timeline

Our Response Commitment

Acknowledgment
Within 24 hours of receiving your report, we will confirm receipt and assign a tracking reference.
Initial Assessment
Within 72 hours, we will validate the vulnerability, assess severity and provide an initial response with our findings.
Critical Fix
Critical severity vulnerabilities will be remediated within 7 days. We will notify you when the fix is deployed.
Non-Critical Fix
Lower severity issues will be remediated within 30 days. We will keep you updated on progress and notify you when the fix is live.

Guidelines

Rules of Engagement

What We Ask

  • Do not access, modify or delete data belonging to other users
  • Do not degrade service availability or performance
  • Stop testing and report immediately if you access sensitive data
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to fix it
  • Use only your own test accounts for authentication testing
  • Act in good faith throughout the process

What We Promise

  • We will not pursue legal action against researchers acting in good faith
  • We will respond to every valid report within the timelines stated above
  • We will credit you in our hall of fame (if you want to be credited)
  • We will keep you informed about remediation progress
  • We will treat every report with the seriousness it deserves

Recognition

Hall of Fame

Be the first to find something.

Researchers who responsibly disclose valid vulnerabilities will be recognized here with their permission.

Report a Vulnerability

Found something? Let us know.

Email security@sforensics.com with your findings. We respond within 24 hours.

Report a Vulnerability