Our Responsible Disclosure Policy

At Validateskills.com, the security of our users, clients and partners is a top priority. We value the contributions of the security community and welcome responsible reports that help us keep our platform safe. If you believe you have found a vulnerability, please let us know so we can investigate and fix it as quickly as possible.

1) Our Commitment

We will acknowledge your report promptly.

We will investigate and remediate validated issues in a timely manner.

We will keep you informed of progress and, where appropriate, coordinate public disclosure once a fix is available.

2) Responsible Testing Guidelines

When researching and reporting vulnerabilities, you must:

Make every effort to avoid privacy violations, service degradation, or data destruction.

Only target your own accounts or test data. Do not access or modify data that does not belong to you.

Stop immediately if you encounter customer data, personal data, or confidential information and report it to us.

Do not perform actions that could disrupt services (e.g., DoS/traffic floods, spam, destructive testing).

Do not exfiltrate more data than is necessary to demonstrate a proof of concept.

Do not share details of an issue publicly or with third parties until we confirm a fix or coordinated disclosure schedule.

3) In Scope

The following are in scope for Validateskills.com and our production domains and services:

Web applications and APIs operated by Validateskills.com (including subdomains we control).

Authentication, session management, and authorization controls.

Access control flaws, injection issues, cross‑site scripting (XSS), cross‑site request forgery (CSRF), server‑side request forgery (SSRF), insecure direct object references (IDOR), sensitive data exposure, security misconfigurations, and logic flaws.

Vulnerabilities in configurations of our cloud resources where exploitation affects customer data, integrity, or service availability.

Note: If you are unsure whether a target or finding is in scope, email us before testing.

4) Out of Scope (Non‑Qualifying)

The following are not considered in scope for this policy:

Denial‑of‑Service (DoS/DDoS), resource exhaustion, or volumetric attacks.

Automated scanning findings without a working, security‑impacting proof of concept.

Best‑practice recommendations without demonstrable risk (e.g., missing HTTP security headers with no exploit path).

Rate‑limiting or brute‑force findings without clear, material impact.

Clickjacking on pages without sensitive actions, open redirects without meaningful impact, self‑XSS, or spam/DKIM/DMARC suggestions.

Physical attacks, social engineering, phishing, or attacks against employees, customers, or third‑party providers.

Vulnerabilities in third‑party platforms not owned or controlled by Validateskills.com.

5) Safe Harbor

We support good‑faith security research. If you comply with this policy while discovering and reporting a vulnerability, we will not initiate legal action or law‑enforcement investigation against you for your research activities.

This safe harbor applies only to Good Faith actions that:

Are limited to our in‑scope systems;

Avoid privacy violations, service disruption, and data exfiltration;

Follow responsible testing guidelines; and

Are reported to us promptly and confidentially.

This safe harbor does not extend to actions that are unlawful, intentionally harmful, or that put data and systems at risk.

6) How to Report a Vulnerability

Please send your report to: security@validateskills.com

Include the following to help us triage efficiently:

Summary of the issue and potential impact.

Affected URL(s)/endpoint(s), parameters, or components.

Proof of concept (steps, payloads, scripts, or screenshots).

Your environment details (browser, tool versions, OS).

Any temporary mitigation you recommend.

7) Triage & Disclosure Timeline

Acknowledgement: within 3 business days.

Initial assessment: within 7 business days (we’ll confirm validity, severity, and next steps).

Remediation: prioritised by severity and impact.

Coordinated disclosure: we will agree a timeline with you; please do not publish details until a fix is deployed and customers are protected.

We may use industry practices (e.g., CVSS‑style severity, business impact, exploitability) to prioritise. We reserve the right to adjust timelines for complex or third‑party dependencies.

8) Recognition & Rewards

At this time, Validateskills.com does not operate a paid bug bounty programme. However, we value your contribution and may offer public recognition (with your consent) on a “Security Hall of Fame” page and a letter of thanks.