Found a vulnerability?
Let’s fix it together
This vulnerability disclosure policy applies to any vulnerabilities you are considering reporting to Salesfire. We recommend reading this vulnerability disclosure policy fully before you report a vulnerability and always acting in compliance with it.
We value those who take the time and effort to report security vulnerabilities according to this policy.
Our commitment: We investigate all legitimate reports, in a timely manner.
You must not:
• Break any applicable law or regulations.
• Access unnecessary, excessive or significant amounts of data.
• Modify data in the Organisation's systems or services.
• Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
• Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.
• Disrupt the Organisation's services or systems.
• Social engineer, 'phish' or physically attack the Organisation's staff or infrastructure.
• Demand financial compensation in order to disclose any vulnerabilities.
• Please allow us time to fix before public disclosure.
What happens next?
After a report is submitted, we will acknowledge it within 5 working days and aim to keep you informed of our progress.
Priority for remediation is assessed using a risk-based approach that considers not only the technical severity of the issue, but also factors such as exploitability, real-world likelihood of abuse, and potential business impact. This approach helps us prioritise the most relevant and actionable issues first.
Vulnerability reports might take time to triage or address. You’re welcome to enquire about the status but should avoid doing so more than once every 14 days to allow our teams to focus on remediation.
We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.
Once your vulnerability has been resolved, we welcome requests to disclose your report.
We’d like to unify guidance to affected users, so please do continue to coordinate public release with us.
Scope
• In scope: Salesfire-owned web apps, APIs, dashboards, and publicly reachable services.
• Out of scope: Third-party services, social media platforms, demo or sandbox environments, DoS/DDoS attacks, spam, social engineering, physical security, non-exploitable or informational findings (including general best-practice observations), and standalone TLS/SSL configuration issues where no practical exploit exists.
• Testing rules: No data extraction, no service degradation, no production brute-force/fuzzing at volume.
Legal Safe Harbour (UK)
Salesfire welcomes responsible testing and coordinated vulnerability disclosure. If you follow the principles of this policy, we will not pursue or support legal action under the Compute Misuse Act 1990 or related legislation.
This protection applies provided that you act responsibly, avoid privacy violations or service disruption, do not exploit or share any discovered vulnerability beyond what’s necessary to demonstrate it, and give us reasonable time to investigate and resolve the issue before any public disclosure.
Recognition (Optional)
Salesfire's Vulnerability Disclosure Programme
Contact
For non-security support, please contact [email protected].
For any other security matters, use the form above or email [email protected].