Responsible Disclosure

Reporting a vulnerability

Email your findings to [email protected] with the subject line “Security — Responsible Disclosure”. Please include:

• A clear description of the issue and its potential impact.
• Step-by-step reproduction details or a proof of concept.
• Affected endpoints, URLs, parameters or components.
• Any logs, requests or screenshots that help us reproduce it.

Please report promptly and give us a reasonable opportunity to remediate before any public disclosure.

In scope

• The TraffXchange dashboard and marketing site.
• The public and authenticated REST API.
• Authentication, authorization and session handling.
• Issues that could expose message content, OTPs, credentials or billing data.

Out of scope

• Denial-of-service, volumetric or load testing against production.
• Social engineering of staff, customers or partners.
• Physical attacks, or attacks against third-party services we do not control.
• Reports from automated scanners without a demonstrated, exploitable impact.
• Best-practice suggestions with no concrete security impact.

Rules of engagement

Conduct testing only against your own account and data. Do not access, modify or exfiltrate data that does not belong to you, do not degrade the service for others, and do not retain, disclose or use any data you encounter. Stop immediately if you encounter customer message content or OTPs and report it to us.

Safe harbor

We will not pursue legal action against researchers who act in good faith, follow this policy and the rules of engagement above, and avoid privacy violations and service disruption. If in doubt about whether an action is authorized, ask us first at [email protected].

Our commitment

We will acknowledge valid reports, keep you informed of remediation progress, and credit researchers who wish to be recognized once an issue is resolved.